Tuning My Content Security Policy

In my Getting Started With a Content Security Policy post, I setup a report only CSP policy so that I could try and identify things that could test out a policy before implementing it. It is time to parse through the results and see what needs to be updated in my deployed policy. The original policy was very simple

default-src https

Inspecting The Violations

I started trying to look at the current violations and I think it was clear that I had a rather permissive Content Security Policy because nothing much was being blocked.

default-src 'self'

and let the run for awhile before gathering more violation details like these

Building the New Header

In looking at some of the results, I’m not personally concerned with images so I’ll allow those from any https

default-src 'self'; img-src https:; 

I know I have fonts loading from Google so we can also allow that next

default-src 'self'; img-src https:; font-src https://fonts.gstatic.com

The process continues until you finally have all of the known resources documented and the types of resource you plan to load until you have a final CSP. Once done, you should still continue with the reporting capability so that you can identify potentially new content on your site that should be allowed or worse yet malicious content that is trying to be introduced.

Resources

Here are some nice resources that can help you continue building your CSP as well

• Mozilla Developer CSP Information
• CSP Inline Scripts