This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Content Security Policy Cheat Sheet"

From OWASP
Jump to: navigation, search
(DRAFT CHEAT SHEET - WORK IN PROGRESS)
m (Point to the official site)
 
(26 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.
+
__NOTOC__
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
= Introduction =
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
Introduction to CSP here.
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html Content Security Policy Cheat Sheet] to see the latest version of the cheat sheet.
 
 
= 80% Solution Policy =
 
 
 
This allows inline javascript and styles while ensuring flash and mixed content can't happen.
 
 
 
default-src 'self'; font-src data: 'self'; img-src data: https:
 
'self'; media-src *; object-src 'none'; script-src 'self'
 
'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri ???
 
 
 
[todo] adding eval
 
[todo] adding a CDN, for example
 
[todo] Add instructions for google analytics/translation
 
 
 
= Configurations =
 
 
 
[todo] add context around these examples and where they would go in a
 
config file.
 
 
 
== Apache ==
 
 
 
Header set X-Content-Type-Options "nosniff"
 
Header set X-XSS-Protection "1; mode=block"
 
Header set X-Frame-Options "SAMEORIGIN"
 
Header set Strict-Transport-Security "max-age=631138519"
 
Header unset Content-Security-Policy
 
Header add Content-Security-Policy-Report-Only <whatever the policy ends up being>
 
 
 
== nginx ==
 
 
add_header X-Content-Type-Options "nosniff";
 
add_header X-XSS-Protection "1; mode=block";
 
add_header X-Frame-Options "SAMEORIGIN";
 
add_header Strict-Transport-Security "max-age=631138519";
 
add_header Content-Security-Policy-Report-Only <whatever the policy
 
ends up being>
 
 
 
= Authors and Primary Editors =
 
 
 
Neil Mattatall - neil[at]owasp.org<br/>
 
Denis Mello - ddtaxe
 
 
 
= Other Cheatsheets =
 
{{Cheatsheet_Navigation}}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 14:35, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit Content Security Policy Cheat Sheet to see the latest version of the cheat sheet.

Retrieved from "https://wiki.owasp.org/index.php?title=Content_Security_Policy_Cheat_Sheet&oldid=253058"