A beginning

The first attempt to blog, as their study notes to share out, welcome criticism and correction 👏;)

Content-security-policy: indicates the Content Security Policy

What is the CSP

  • Is an HTTP header that specifies what resources a page can load
  • Can effectively help preventXSS attacks,Data intoAttack etc.
  • You can also use<meta>configure

What does a CSP do

  • Prevention reduces XSS attacks
  • Prevention reduces application-layer packet sniffing attacks
  • Perform a full HTTPS upgrade to the page
  • Redirection from HTTP to HTTPS
  • Control of the XMLHttpRequest,<a>Such as the access

Prevention reduces XSS attacks

Background: XSS attacks are based on the browser’s trust in server/user input, allowing malicious code to be executed on the page.

CSP can specify ascript resource whitelist (allowed to load script resources) via script-src, ignoring other scripts, including inline scripts (javascript:…). And HMTL event handling properties.

// script Script, which can only be obtained from under example.com and its subdomain, <meta http-equiv=" content-security-policy "Content ="default-src: 'self'; script-src: *.example.com;" /> // 2. HTTP header set content-security-policy: default-src: 'self'; script-src: *.example.comCopy the code

Prevention reduces application-layer packet sniffing attacks

Background: Sniffer attacks at the application layer mainly occur when HTTP is used for transmission, and the attacker obtains information from data packets.

CSP can be configured through some configurations in default-src (HTTPS, blob…) Use protocol to specify which protocol the page uses to load resources. Non-conforming protocols are ignored

<meta http-equiv=" content-security-policy "Content ="default-src: 'self' HTTPS "/> // 2. HTTP header set content-security-policy: default-src: 'self' HTTPSCopy the code

Perform a full HTTPS upgrade to the page

CSP upgraded all urls to HTTPS for page access using upgrade-insecure requests

// Can only access resources from HTTPS, <meta http-equiv=" content-security-policy "Content =" upgrade-security requests" /> // 2. HTTP header Settings  Content-Security-Policy: upgrade-insecure-requestsCopy the code

Redirection from HTTP to HTTPS

Background: When accessing some websites, the server will configure an automatic HTTP to HTTPS configuration in Nginx, which allows users to jump from THE HTTP URL to HTTPS. This process also has the risk of man-in-the-middle attack. Attackers can attempt to intercept HTTP requests for attack operations.

The CSP can be configured by setting strict-transport-security. When the browser accesses the server using HTTPS for the first time, the Response Header is added to the strict-transport-security Header to configure the CSP. The next time the URL is accessed, the browser automatically converts HTTP to HTTPS.

Configuration:

  • *max-age: indicates the expiration attribute, in seconds

  • IncludeSubDomains: if set, indicate that this rule applies to subdomains as well

  • Preload: View a preload detail maintained by Google

    • HTST preloaded list maintained by Google
    • HTST preloaded list maintained by Firefox
    • If the domain name is successfully submitted to the service, the browser will never connect to the domain name in an unsecured way
// http header
strict-transport-security: max-age=63072000
Copy the code

Control of the XMLHttpRequest,<a>Such as the access

Connect-src allows you to specify a whitelist of the following link addresses:

  • <a>
  • fetch
  • XMLHttpRequest
  • WebSocket
  • EventSource: an interface to network events pushed by the server (one-way)

Violation report

If the content-security-Policy whitelist is not met, Violation Report detection can be uploaded using either Content-security-policy-report-only or Content-security-policy and configuration response report-URI

  • Content-Security-Policy-Report-Only: Only report violations, not restrict behaviors
  • No configurationreport-uriIt will not be reported
In addition to the script under example.com, // 1. Content-security-policy-report-only // meta <meta http-equiv=" content-security-policy-report-only" content="script-src: example.com; report-uri: http://example.com/report" /> // header Content-Security-Policy-Report-Only: script-src: example.com; report-uri: http://example.com/report // 2. report-uri <meta http-equiv="Content-Security-Policy" content="script-src: example.com; report-uri: http://example.com/report" /> // header Content-Security-Policy: script-src: example.com; report-uri: http://example.com/reportCopy the code

An overview of the common properties of CSP

  • Default-src: SRC of the bottom pocket

  • Style-src: Restrict cascading style sheet file sources

  • Script-src: limits the source address of JavaScript

  • Img-src: limits the source addresses of images and ICONS

  • Connect-src: Limits the urls that can be loaded through the script interface

    • <a>
    • Fetch
    • XMLHttpRequest
    • WebSocket
    • EventSource

  • Media-src: limits the source address of media files loaded by, or labels

  • Child-src: Defines a legitimate source address for Web workers and other embedded browser content (for example, content used and loaded into a page)

  • Font-src: Sets the font source address that is allowed to be loaded with @font-face

  • Manifest-src: limits the source address of the application declaration file

  • Object-src: indicates the source address of the label,, and

  • Prefetch – SRC: Specifies the allowed source address for preloading or prerendering

    • Here, the end, hope more correction;)

    Reference: the Content of ws-security – Policy – HTTP | MDN