Content Security Policy (CSP) is a security standard for web developers. CSP describes policies for restricting the list of sources from which scripts and design elements can be loaded when the user opens the site in their browser. CSP can also prevent such elements being loaded via insecure channels. Defined in the website code, CSP policies help reduce the risk of third-party code injection attacks, such as cross-site scripting (XSS).
CSP was conceived by Robert Hansen in 2004. It was detailed in a document that was originally named Content Restrictions, but was not applied in practice back then. The first browser to support Content Restrictions was Firefox 4, released in 2011, while the first version of the actual CSP standard, Level 1, came out in 2012 under the aegis of the World Wide Web Consortium (W3C). The current version, as of 2023 is the working draft CSP Level 3, published in 2018.
CSP has W3C recommendation status. The standard is supported by all major browsers. Firefox has been working with the current CSP syntax since version 23, Chrome since version 25, and Safari since version 7. Browsers without support for CSP directives ignore them and display content prohibited by them.
How CSP directives work
CPS instructions are defined on the website side. This is done using a special Content-Security-Policy HTTP header or a <meta> HTML tag. HTTP headers are a set of metadata exchanged between a client (browser) and a server (website). When a user tries to open a web page, the site sends information about the page to the browser, including CSP directives.
Directives indicate which sources website elements can be loaded from. For example, a CSP directive can allow the browser to download only images that are on the website server. CSP can also allow or deny loading of objects over an insecure HTTP protocol, running of plugins, and so on.
On the browser side, directives are first processed, and then only allowlisted elements are loaded and executed. If there are elements on the page blocked by CSP instructions, they will simply not load. The user will not see any error messages.
The Content Security Policy standard is aimed primarily at countering attacks in which third-party code is embedded on the target site. CSP instructions can protect against malicious activity such as:
- Cross-Site Scripting (XSS) — embedding third-party code on a website or an individual web page. CSP allows browsers to load scripts only from trusted sources, so that malicious code is not triggered when a site is opened.
- Clickjacking — placing a transparent layer with active elements over the main content of the page. CSP allows you to block the execution of code from untrusted sources, as well as scripts embedded directly in the page’s HTML code, so the transparent layer does not load in the browser.
With CSP, developers can also receive reports on blocked elements, allowing them to track malicious activity on a site.
Note, however, that CSP does not provide a 100% protection guarantee. Attackers can use legitimate sources of scripts, such as Google Analytics, which many developers list as a trusted source. Therefore, we recommend using CSP not in isolation, but in combination with other protection methods against such attacks.