Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Background
Content Security Policy (CSP) is an important standard by the W3C that is aimed to prevent a broad range of content injection attacks such as cross-site scripting (XSS). It is an effective "defense in depth" technique to be used against content injection attacks. It is a declarative policy that informs the user agent what are valid sources to load from. Since, it was introduced in Firefox version 4 by Mozilla, it has been adopted as a standard, and grown in adoption and capabilities. [OWASP-CSP-CS]
Headers
Content-Security-Policy
...
- [CSP] Content Security Policy Reference Guide (with latest browser support information)
- [OWASP-CSP-CS] OWASP Cheat Sheet on Content Security Policy
- [W3C-CSP] W3C working draft of Content Security Policy Level 3
- [CSP-INTRO-1] Content Security Policy - An Introduction
- [CSP-INTRO-2] Introduction to Content Security Policy
Additional Resources
- [Google] Google blogpost on CSP