A Content Security Policy (CSP) can help protect your site from data breaches caused by cross-site scripting (XSS) and formjacking attacks. A CSP also prevents client-side malware from injecting unwanted ads on your website.
A Content Security Policy (CSP) is a browser security standard that controls what domains, subdomains, and types of resources a browser can load on a given web page.
It is implemented via an HTTP header, but a CSP can also be placed on a web page using a <meta>
tag. CSPs are compatible with most modern desktop and mobile browsers, including Chrome, Firefox, Internet Explorer, Edge, Opera, and Safari.
Here's the first line of bluetriangle.com's CSP header:
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudfront.net *.btttag.com *.googleadservices.com *.googletraveladservices.com *.adroll.com *.cloudfront.net everesttech.net
...and the Meta Tag
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudfront.net *.btttag.com *.googleadservices.com *.googletraveladservices.com *.adroll.com *.cloudfront.net everesttech.net ... />
CSPs are used to detect and prevent certain types of attacks, including:
If a hacker injects code into your checkout pages, a CSP automatically blocks the code from sending your customer's payment information to the hacker's domain.
Client-side malware causes unwanted ads to appear on your users' browsers. A CSP prevents these ads from loading when affected users go on your website.
One tag could also be loading multiple tags from vendors you have not authorized. A CSP eliminates this security risk.
The credit card skimming attacks at Ticketmaster UK, British Airways, Newegg, and thousands of other sites could have been prevented with a properly implemented CSP.
Unfortunately, not in the slightest.
Only 6.9% of the 1,114 websites we are measuring in our Industry Benchmarks have a CSP header in place.
Here’s the breakdown:
Based on the conversations I've had with eCommerce security leaders, the lack of adoption is attributed to 3 key factors:
Before a CSP can be built, you need to determine what domains and subdomains have access to your website and what resources they’re loading (e.g. JavaScript, CSS, PHP). Without the right analytics tools, getting this data is a manual and tedious process.
You can start creating your CSP as soon as you’ve determined what domains, subdomains and their resources are allowed to have access to your website. This process can take days or even weeks.
Once you’ve built and implemented your CSP, someone needs to manually update it with every website release and stay on top of any CSP violations that are reported in the browser console log. Again, this is a tedious process and requires a monitoring solution that can notify you when content is blocked by the CSP.
Most CSPs are dozens of lines long. And even for the more technical, the documentation can be a bit overwhelming. Specifying the resource types that are authorized to be loaded by domains and subdomains is very complex and leaves no room for error.
A CSP Management solution like Blue Triangle’s can help you automate the process of building and managing your Content Security Policy.
We have a step by step process to eliminate the chaos. We inventory your domains, provide a streamlined process for you to approve them, and automatically build your Content Security Policy. Then our solution helps you easily update your CSP and alert you as soon as there are violations.
Blue Triangle adds a necessary layer of security, mitigating your risk of a data breach stemming from malicious first or third party code.
Here’s how our CSP Manager works:
We start off by identifying what first and third-party domains are loading on your site. See who owns the domains and what pages they’re loading on.
Now that you know what domains are loading on your site, quickly create a whitelist of approved domains, as well as what type of files they are allowed to call.
Once you approve the whitelist, Blue Triangle automatically generates a comprehensive CSP that you can deploy in seconds.
Your CSP blocks any unknown or malicious domains from accessing your site. We’ll even notify you as soon as there are any violations to your CSP.
Not ready to block? Then stay in alert-only mode.
A Content Security Policy can protect your site from a variety of attacks, including credit card skimming and ad injection. Without a CSP management solution, creating and building one is a manual and tedious process. Blue Triangle can help.