How to implement content security policy?

Question

There\'s good articles explaining the options for CSP like this one: http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Perhaps it\'s completel

Answer 1

At the end of the day the choice is yours. You can set it globally in your apache webserver. In which case it will apply to every page. And you can then also set the headers on individual pages if required for a more granular approach.

Check these sites for help in building your CSP rules:

https://csp-evaluator.withgoogle.com/

https://report-uri.io/home/generate

Scott Helme knows a lot about the subject and has some good examples as well. You can also send your reports to his website for some basic analysis.

https://scotthelme.co.uk/content-security-policy-an-introduction/

This may also be of interest for apache configurations

Generate a nonce with Apache 2.4 (for a Content Security Policy header)

I also strongly recommend that you read this paper which talks about some newer (and simpler looking) configuration approaches and browser backwards compatibility

https://www.websec.be/blog/cspstrictdynamic/

An this is also an excellent paper "CSP Is Dead, Long Live CSP!" from google research, in particular refer to section 4.IMPROVING CSP, by bypassing whitelists and propagating trust.

https://research.google.com/pubs/pub45542.html

Do lots of reading and when you ready to implement, use the REPORT ONLY mode directive so you get the console messages without the policy enforcement.

Content-Security-Policy-Report-Only: ; 

Once your happy then you can enforce the rules:

Content-Security-Policy: ;