Security Hub

Bring your software development workflows to security

csp

Content Security Policy

Signals & Triggers

On request

Actions

  • Set the header Set the header

Details

A Content Security Policy (CSP) is based on a powerful HTTP header that restricts the browser to loading external assets such as scripts, styles or media. Enforcing a CSP can protect your app from Cross Site Scripting (XSS), clickjacking and other code injection attacks.

The CSP lists all the authorized domains and resources your app is allowed to use (web workers, image, font, media, scripts, frames, stylesheets). Thus, if a user loads a page where an attacker has injected a malicious resource, the browser will load your page, but prevent the attacker’s resource from loading.

A CSP is a very powerful protection but can be hard to manage at scale.

This plugin helps you to craft and deploy a strong CSP by listing and filtering all the domains seen from your traffic and maintaining it by notifying you when new domain try to load resources. Once enabled, it will automatically set the Content-Security-Policy-Report-Only or Content-Security-Policy HTTP header, depending on which mode you enabled (reporting or blocking).

Advanced details

For each violation report, the domain is matched with internal blacklists to exclude non legit domains.

Based on the whitelisted domains and their category (script, connection source, media, etc), the right policy is generated. You can also add domain manually anytime.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen

Signals
  • CSP violations report

On attack

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" > config/sqreen.yml

$ curl -s https://download.sqreen.io/php/install.sh > sqreen-install.sh && bash sqreen-install.sh your token

$ pip install sqreen

$ echo -e "[sqreen]\ntoken: your token" > sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-latest-all.jar -o sqreen.jar

 

// Add JVM startup options:

-javaagent:/path/to/sqreen.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 14 days · No credit card required Sign up Request demo