What is Content Security Policy (CSP)?
An HTTP header that prevents XSS and injection attacks by controlling allowed content sources.
Definition
Content Security Policy (CSP) is an HTTP response header that tells browsers which content sources are allowed on a page โ which domains can serve scripts, styles, images, fonts, and other resources. By restricting sources to trusted domains, CSP prevents Cross-Site Scripting (XSS) attacks where malicious scripts are injected into your pages. CSP can also block inline scripts, eval(), and other dangerous patterns. It is essential for any web application that handles sensitive data.
Simple Analogy
Like a strict import policy for a country โ only goods from approved countries (domains) are allowed in, and anything from unapproved sources is blocked at the border regardless of what it claims to be.
Why It Matters
If your cron job management dashboard (or any web interface that interacts with scheduled jobs) is vulnerable to XSS, an attacker could modify job configurations, steal API keys, or trigger unauthorized executions through the browser. CSP is a critical defense layer that prevents injected scripts from executing, even if other security measures fail.
How to Verify
Check your web application response headers for "Content-Security-Policy". Use browser developer tools โ CSP violations appear in the Console as errors. Test your policy with CSP Evaluator (csp-evaluator.withgoogle.com). Verify that your policy blocks inline scripts and restricts sources to trusted domains only.
Common Mistakes
Using "unsafe-inline" or "unsafe-eval" in CSP, which defeats most of its protection. Not testing CSP in report-only mode before enforcing. Setting CSP too restrictively, breaking legitimate functionality. Not including CSP on all pages โ an unprotected page can be the entry point for attacks.
Best Practices
Deploy CSP in report-only mode first (Content-Security-Policy-Report-Only) to identify issues without breaking functionality. Gradually tighten the policy, removing unsafe-inline and unsafe-eval. Use nonces or hashes for legitimate inline scripts. Set up CSP violation reporting to monitor and respond to potential attacks.
Security Documentation
Read security docs
Try it free โFrequently Asked Questions
What is Content Security Policy (CSP)?
Content Security Policy (CSP) is an HTTP response header that tells browsers which content sources are allowed on a page โ which domains can serve scripts, styles, images, fonts, and other resources. By restricting sources to trusted domains, CSP prevents Cross-Site Scripting (XSS) attacks where malicious scripts are injected into your pages. CSP can also block inline scripts, eval(), and other dangerous patterns. It is essential for any web application that handles sensitive data.
Why does Content Security Policy (CSP) matter for cron jobs?
If your cron job management dashboard (or any web interface that interacts with scheduled jobs) is vulnerable to XSS, an attacker could modify job configurations, steal API keys, or trigger unauthorized executions through the browser. CSP is a critical defense layer that prevents injected scripts from executing, even if other security measures fail.
What are best practices for Content Security Policy (CSP)?
Deploy CSP in report-only mode first (Content-Security-Policy-Report-Only) to identify issues without breaking functionality. Gradually tighten the policy, removing unsafe-inline and unsafe-eval. Use nonces or hashes for legitimate inline scripts. Set up CSP violation reporting to monitor and respond to potential attacks.
Related Terms
CORS Policy
Server-side rules that control which web origins can make cross-domain HTTP requests.
HTTPS
The secure version of HTTP that encrypts all communication between client and server.
Authentication
Verifying the identity of a user or system making a request to your endpoint.
Vulnerability Scanning
Automated detection of security weaknesses in applications, dependencies, and infrastructure.
Request Header
Key-value metadata sent with an HTTP request to provide context like authentication and content type.