Testing Content Security Policy CSP Headers

HTML5 header security

If you run a website you may want to add modern content-security-policy (CSP) headers to control which resources can be loaded on your site. This helps prevent common frontend hacks (like cross site scripiting) by specifying a list of rules in a header on the response from the server serving your website’s HTML. This post will explain more.

What is CSP

A content security policy is a modern HTTP response header that can be attached to a response by a server to inform the browser about which resources can be safely loaded on the HTML that is delivered. The browser can then prevent other resources from executing on the page. This means that if another user somehow gets their own javascript onto the page (via an unsanitized input string) and you then execute the HTML in your browser the CSP header will tell the browser to disable that execution. This is a simple way to lock down the many different ways that a frontend site can fall victim to XSS attacks.

How to view CSP headers

Many websites include CSP headers that you may not have noticed before. We can use curl in the terminal to view such headers. A good website to investigate is https://observatory.mozilla.org/ - a mozilla site designed for CSP development. It just so happens that this website enforces a good CSP header.

Let’s get the header and take a look. Request the site and send the body to /dev/null then grep the headers for the CSP.

curl -sD - https://observatory.mozilla.org/ -o /dev/null | grep Content-Security-Policy

The grepped results output looks similar to this:

Content-Security-Policy: default-src 'none'; base-uri 'none'; form-action 'self'; connect-src https://api.ssllabs.com https://hstspreload.org https://http-observatory.security.mozilla.org https://securityheaders.com https://sshscan.rubidus.com https://tls.imirhil.fr https://tls-observatory.services.mozilla.com https://www.immuniweb.com; font-src 'self'; frame-ancestors 'none'; img-src 'self'; script-src 'self'; style-src 'self'

Note the content security policy header: default-src 'none'; base-uri 'none' ... etc. This values of this

How to test Content Security Policy

You can use the open source Mozilla Observatory to scan any website for best content security policies. Here are the results for yahoo.com:

observe

Your test results are broken down into sections:

observe2