The Content Security Policy response header field is a tool to implement defense in depth mechanism for protection of data from content injection vulnerabilities such as cross-scripting attacks.
It provides a policy mechanism that allows developers to detect the flaws present in their application and reduce application privileges.
It provides developer control over the application at a granular level to prevent various attacks and maintain content integrity.
- On the Web site parameter, down to Security section.
- Click on the “Content Security Policy” Link
- Click on Enable feature to activate the restriction header
- Click on “New rule” button.
- Set a description of your rule.
- Add Content-Security-Policy in the HTTP header field
Inside the content, add value as the following format
directive directive-value ; directive directive-value
Multiple policy directives can be used in a line separated by semi-colon.
Directives:
- child-src: It controls the creation of nested browsing context and requests which populate the frame of a worker.
child-src https://example.com/ - default-src: It is used to serve as default source list of policy considering the value entered and serve as fallback for other fetch directives.
default-src 'self' - frame-src: It restricts URLs loaded for nested browsing context.
frame-src https://example.com/ - manifest-src: It controls the URLs from which various elements of a resource might be loaded.
manifest-src https://example.com/ - object-src: It is used restrict URLs which can load plugin content into application.
object-src https://example.com/ - connect-src: It is used to control URLs that can be loaded using scripting interfaces into applications.
connect-src https://example.com/ - font-src: It controls URLs that can load fonts into application.
font-src https://example.com/ - img-src: It controls URLs that can load images into application.
img-src https://example.com/ - media-src: It controls URLs that can load audio, video and associated text track resources into application.
media-src https://example.com/ - style-src: It controls sources that can apply load and apply Stylesheet to an application.
- script-src: It controls sources that can implement JavaScript into application.
- These directives are experimental application programming interfaces such as prefetch-src, script-src-elem, script-src-attr, style-src-elem, style-src-attr and worker-src.
- plugin-types: It limits the resources loaded for restricting the possibility to plugins being embedded into a document.
plugin-types application/pdf - base-uri: It controls the URLs that can be loaded into base element present in document.
- sandbox: The HTML sandbox policy can be applied by user agent through the specifications of this directive.