CSP
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Why is the CSP necessary?
Mitigating XSS Attacks
Preventing Data Injection Attacks
Protecting Against Clickjacking
How does CSP work?
Policy Declaration:
HTTP Header: Web servers can include the CSP header in their HTTP responses. For example:
Meta Tag: Alternatively, developers can include a meta tag in the HTML document to declare the CSP policy.
Policy Directives:
default-src: Specifies the default source for content that is not explicitly specified by other directives.
script-src: Specifies valid sources for JavaScript.
style-src: Specifies valid sources for stylesheets.
img-src: Specifies valid sources for images.
font-src: Specifies valid sources for fonts.
connect-src: Specifies valid sources for network requests (e.g., AJAX, WebSocket).
frame-src: Specifies valid sources for frames and iframes.
object-src: Specifies valid sources for plugins, like Flash.
And more.
Source Expressions:
Source expressions define the allowed sources for each content type. They can be specific domains (
'self','example.com'), URLs (https://example.com), or other keywords.
Examples
Configure CSP for WordPress
Option1: Modify Server Headers
Apache (using
.htaccess)
Nginx (nginx.conf)
Option 2: Use a WordPress Plugin
CSP by WP2Static
Last updated