User Friction & Site Performance Blog | Blue Triangle

Why your site needs a Content Security Policy (CSP)

Written by Josh Carter | Jan 10, 2019 5:36:45 PM

A Content Security Policy (CSP) can help protect your site from data breaches caused by cross-site scripting (XSS) and formjacking attacks. A CSP also prevents client-side malware from injecting unwanted ads on your website.

 

What is a Content Security Policy (CSP)?

A Content Security Policy (CSP) is a browser security standard that controls what domains, subdomains, and types of resources a browser can load on a given web page.

It is implemented via an HTTP header, but a CSP can also be placed on a web page using a <meta> tag. CSPs are compatible with most modern desktop and mobile browsers, including Chrome, Firefox, Internet Explorer, Edge, Opera, and Safari.

Here's the first line of bluetriangle.com's CSP header:

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudfront.net *.btttag.com *.googleadservices.com *.googletraveladservices.com *.adroll.com *.cloudfront.net everesttech.net

...and the Meta Tag

<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline' 'unsafe-eval' *.cloudfront.net *.btttag.com *.googleadservices.com *.googletraveladservices.com *.adroll.com *.cloudfront.net everesttech.net ... />

Why you need a CSP

CSPs are used to detect and prevent certain types of attacks, including:

Formjacking & Cross-Site Scripting

If a hacker injects code into your checkout pages, a CSP automatically blocks the code from sending your customer's payment information to the hacker's domain.

Browser Hijacking & Ad Injection

Client-side malware causes unwanted ads to appear on your users' browsers. A CSP prevents these ads from loading when affected users go on your website.

Unauthorized Piggyback Tags

One tag could also be loading multiple tags from vendors you have not authorized. A CSP eliminates this security risk.

The credit card skimming attacks at Ticketmaster UK, British Airways, Newegg, and thousands of other sites could have been prevented with a properly implemented CSP.

How common are CSPs?

Unfortunately, not in the slightest.

Only 6.9% of the 1,114 websites we are measuring in our Industry Benchmarks have a CSP header in place.

Here’s the breakdown:

Based on the conversations I've had with eCommerce security leaders, the lack of adoption is attributed to 3 key factors:

1. CSPs are hard to build

Before a CSP can be built, you need to determine what domains and subdomains have access to your website and what resources they’re loading (e.g. JavaScript, CSS, PHP). Without the right analytics tools, getting this data is a manual and tedious process.

You can start creating your CSP as soon as you’ve determined what domains, subdomains and their resources are allowed to have access to your website. This process can take days or even weeks.

2. CSPs are tough to manage

Once you’ve built and implemented your CSP, someone needs to manually update it with every website release and stay on top of any CSP violations that are reported in the browser console log. Again, this is a tedious process and requires a monitoring solution that can notify you when content is blocked by the CSP.

3. CSPs are incredibly complicated

Most CSPs are dozens of lines long. And even for the more technical, the documentation can be a bit overwhelming. Specifying the resource types that are authorized to be loaded by domains and subdomains is very complex and leaves no room for error.

Implementing a CSP Manager

A CSP Management solution like Blue Triangle’s can help you automate the process of building and managing your Content Security Policy.

We have a step by step process to eliminate the chaos. We inventory your domains, provide a streamlined process for you to approve them, and automatically build your Content Security Policy. Then our solution helps you easily update your CSP and alert you as soon as there are violations.

Blue Triangle adds a necessary layer of security, mitigating your risk of a data breach stemming from malicious first or third party code.

Here’s how our CSP Manager works:

1. Inventory your domains

We start off by identifying what first and third-party domains are loading on your site. See who owns the domains and what pages they’re loading on.

2. Determine what domains are allowed

Now that you know what domains are loading on your site, quickly create a whitelist of approved domains, as well as what type of files they are allowed to call.

3. Auto generate Content Security Policy (CSP)

Once you approve the whitelist, Blue Triangle automatically generates a comprehensive CSP that you can deploy in seconds.

4. Deploy CSP and stay secure

Your CSP blocks any unknown or malicious domains from accessing your site. We’ll even notify you as soon as there are any violations to your CSP.

Not ready to block? Then stay in alert-only mode.

Ready to implement a CSP?

A Content Security Policy can protect your site from a variety of attacks, including credit card skimming and ad injection. Without a CSP management solution, creating and building one is a manual and tedious process. Blue Triangle can help.