Content Security Policy (EN)

Protocol

Security mechanism that controls content execution on web pages

Content Security Policy (CSP)

The Content Security Policy (CSP) is a security mechanism that allows web application developers to configure browser instructions about which types of content may be loaded and executed on a webpage. By defining a CSP, attacks like Cross-Site Scripting (XSS) can be effectively prevented as the policy blocks the execution of unauthorized scripts. CSP is implemented via HTTP headers and can set policies for various resource types such as scripts, stylesheets, images, and frames. A properly implemented CSP is an essential protection mechanism for modern web applications and significantly increases security.

Architecture

flowchart TD     A[Client Browser] -->|HTTP Request| B[Web Server]     B -->|CSP Header| A     B -->|Ressourcen| C[CDN/Origin Server]     A -->|Ressourcenanfrage| C     A -->|Policy Check| D[CSP Engine]     D -->|Erlaubt| E[Ressourcen laden]     D -->|Blockiert| F[Verweigern]

In Context

Typically used together with HTTPS, Subresource Integrity (SRI) and Strict-Transport-Security (HSTS)
Related to: Cross-Site Scripting (XSS), HTTP-Header, Web Application Firewall (WAF)
Example usage: Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com;

Quelle: AI Generated