What are CSPs

• Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
• To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore.)
  • Alternatively, the <meta> element can be used to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
• Rails provides a DSL that allows you to configure a Content Security Policy for your application. You can configure a global default policy and then override it on a per-resource basis and even use lambdas to inject per-request values into the header such as account subdomains in a multi-tenant application. We'll now take an example global policy.

# config/initializers/content_security_policy.rb
Rails.application.config.content_security_policy do |policy|
  policy.default_src :self, :https
  policy.font_src    :self, :https, :data
  policy.img_src     :self, :https, :data
  policy.object_src  :none
  policy.script_src  :self, :https
  policy.style_src   :self, :https

  # Specify URI for violation reports
  policy.report_uri "/csp-violation-report-endpoint"
end

Here, we see the different examples. I'll explain what they are in the next example. We will see the various possible values of CSP and their examples plus what they do.

1. Content-Security-Policy: default-src 'self'
2. Content-Security-Policy: default-src 'self' trusted.com *.trusted.com
3. Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
4. Content-Security-Policy: default-src <https://onlinebanking.jumbobank.com>
5. Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *

1. A web site administrator wants all content to come from the site's own origin (this excludes subdomains.)
2. A web site administrator wants to allow content from a trusted domain and all its subdomains (it doesn't have to be the same domain that the CSP is set on.)
3. A web site administrator wants to allow users of a web application to include images from any origin in their own content, but to restrict audio or video media to trusted providers, and all scripts only to a specific server that hosts trusted code. Here, by default, content is only permitted from the document's origin, with the following exceptions:
   • Images may load from anywhere (note the "*" wildcard).
   • Media is only allowed from media1.com and media2.com (and not from subdomains of those sites).
   • Executable script is only allowed from userscripts.example.com.
4. A web site administrator for an online banking site wants to ensure that all its content is loaded using TLS, in order to prevent attackers from eavesdropping on requests. The server permits access only to documents being loaded specifically over HTTPS through the single origin onlinebanking.jumbobank.com.
5. A web site administrator of a web mail site wants to allow HTML in email, as well as images loaded from anywhere, but not JavaScript or other potentially dangerous content. Note that this example doesn't specify a script-src; with the example CSP, this site uses the setting specified by the default-src directive, which means that scripts can be loaded only from the originating server.