Content Security Policy CSP

What is Content Security Policy?


Content Security Policy is internet security standard to prevent the known attack like Cross-site scripting XSS, click hijacking and code injection. For example like, if your visiting website is http://www.example.com  then you only able to access the data come from http://www.example.com, others URL or script and CDN like http://google.com/jquery.js also will be blocked.

Beside that, it also contain some inline script <button onclick="testing()">Click Me!</button> will also be blocked. unless you do some configuration on the header.


In short, it will do the following:
1) Whitelist to tell the client (Normally is Browser) what's allowed and what is not allowed.
2) Learn what directives are available
3) Learn the keywords they take
4) Inline code and eval () are considered harmful
5) Report Policy violations to your server before enforcing them.



How to implement Content Security Policy (CSP)?


<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Content-Security-Policy" value="default-src 'self';" />
    </customHeaders>
  </httpProtocol> 
</system.webServer> 
Above is the method to do the CSP on IIS, you need to add the following to the Web.config, this will cause the website only allows the source which is self. (In another world mean the website itself.)


Besides the value default-src, there are various more directives references.
  • base-uri restricts the URLs that can appear in a page's <base> element.
  • child-src lists the URLs for workers and embedded frame contents. For example: child-src https://youtube.com would enable embedding videos from YouTube but not from other origins. Use this in place of the deprecated directiveframe-src.
  • connect-src limits the origins that you can connect to (via XHR, WebSockets, and EventSource).
  • font-src specifies the origins that can serve web fonts. Google's web fonts could be enabled via font-src https://themes.googleusercontent.com.
  • form-action lists valid endpoints for submission from <form> tags.
  • frame-ancestors specifies the sources that can embed the current page. This directive applies to <frame><iframe><embed>, and <applet> tags. This directive can't be used in <meta> tags and applies only to non-HTML resources.
  • frame-src deprecated. Use child-src instead.
  • img-src defines the origins from which images can be loaded.
  • media-src restricts the origins allowed to deliver video and audio.
  • object-src allows control over Flash and other plugins.
  • plugin-types limits the kinds of plugins a page may invoke.
  • report-uri specifies a URL where a browser will send reports when a content security policy is violated. This directive can't be used in <meta> tags.
  • style-src is script-src's counterpart for stylesheets.
  • upgrade-insecure-requests instructs user agents to rewrite URL schemes, changing HTTP to HTTPS. This directive is for websites with large numbers of old URL's that need to be rewritten.






Comments

  1. AnonymousApril 7, 2022 at 8:34 AM

    Content Security Policy Csp >>>>> Download Now

    >>>>> Download Full

    Content Security Policy Csp >>>>> Download LINK

    >>>>> Download Now

    Content Security Policy Csp >>>>> Download Full

    >>>>> Download LINK WS

    ReplyDelete

Post a Comment

Popular posts from this blog

Reading and Writing Operation of SRAM

Image
The diagram below is illustrate Static Random Access Memory (SRAM)Cell for the explanation. SRAM cell is make up of 2 inverters are cross-connected to form a latch .The latch is connected to 2 bit line by transistor T1 and T2 . T1 and T2 can switch opened or closed under control of word line.When word line is ground level, the transistors are turned off and the latch retrains its state. During the Read Operation ,Word line is activated to close switches T1 and T2 . If the cell is in state 1; the signal on b line is high and the signal on b’ line is low.The opposite is true if the cell is in state 0.Thus, b and b’ are always complements of each other’s. The sense /write circuit at the end of the two bit line monitors their state and sets the corresponding output accordingly. While in Write Operation ,the Sense/Write circuit drives bit lines b and b’, instead of sensing their state.It places the appropriate value on bit line b and its complement on b’ and activate the word ...
Read more

Reading & Writing Operation of DRAM

Image
In Dynamic Random Access Memory CELL , transistor acts as a switch to Close (allowing current to flow) when voltage applied in address line or Open (no current flow) when no voltage applied in address line.Address Line also known as word line .Which use to signal the transistor to close or open. During the Write operation ,a voltage is applied on the bit line and a signal applied to the address line to close the transistor.Then the voltage applied on the bit line will transfer to capacitor and store in the capacitor However the capacitor has tendency to discharge and has to refresh to maintain the bit. While in Reading Operation ,the instruction find the bit store using the address line to read the data or bit. When the address line is selected ,the transistor turns on and the charge stored on the capacitor is fled out onto a bit line and to sense amplifier. Sense amplifiers compare the capacitor voltage to reference value to determine the logic 1 or logic 0.The read out from ...
Read more

Tomcat Debug Cannot Startup

Image
Today I download the Windows binary version of the Apache Tomcat , after I follow the guide to install the tomcat , when I using the command line startup.bat the tomcat, a command prompt out then close automatically. while the command prompt only show this. Another command prompt is come out but exit automatically and the Apache tomcat Server is not start which test it using the browser key in localhost:8080, but turns out is connection timeout. I look through the startup.bat and found that it call catalina.bat with no arguments. The catalina.bat is too long , very lazy to look at it. I try to google it the way to stop the pop up command prompt close. Ok , no more story straight to the solution: 1) Type in "catalina.bat run" at the bin directory of your apache tomcat folder.(or in baby step type in "C:\tomcat\bin\catalina.bat run" replace the tomcat with the name of your Apache directory) 2) Then it come out the logs cannot create logs  org.a...
Read more