Skip to main content

Proper Content-Security-Policy (CSP) Implementation

Feedback

8 comments

  • Daniel King

    So, what would a "good" config look like?

     

    -1
  • Lucian Lipinsky

    I've been trying to get that answer as well.

    0
  • Ingrid

    Thanks for the feedback! We've added what a good CSP should look like and an example.

    -1
  • Lucian Lipinsky

    Wow, that's great. Examples such as this should be a standard for all implementation articles and posts. The clarity removes any question or ambiguity. 

    Thank you.

    2
  • Oscar Knight

    The resources provided by BitSight have always been useful.  Could some or all resources be better, of course.

    When using online/web resources for knowledge enhancement I'm always remind myself of the "Network Administrator Pledge".  I believe it applies to ALL discipline/job titles.

    The Pledge of the Network Admin

    This is my network. 

    It is mine,
    or technically, my employer's;
    it is my responsibility, and I care for it with all my heart.

    There are many other networks a lot like mine,but none are just like it.

    I solemnly swear
    that I will not mindlessly paste from HOWTOs.

    Reference:  https://home.nuug.no/~peter/pf/en/long-firewall.html#PREFACE



    0
  • John Tolle

    What about the unsafe-hashes keyword?  Is this disallowed just like the other unsafe-* keywords or is this allowed?  I ask because CSP Level 2 browsers may be ok with just putting an inline style (CSS) hash in a style-src directive. However, when using hashes in the style-src on browsers that support CSP Level 3, you get an error like this:

    Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='". Either the 'unsafe-inline' keyword, a hash ('sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA='), or a nonce ('nonce-...') is required to enable inline execution.

    To fix this, we either need to change our code to use a class or add the unsafe-hashes keyword to our style-src directive (along with the hashes, of course):

    style-src 'self' 'unsafe-hashes' 'sha256-nMxMqdZhkHxz5vAuW/PAoLvECzzsmeAxD/BNwG15HuA=';
    0
  • Anthony Pinto

    Please update the Example “GOOD” policy: from above to reflect what needs to be done to satisfy BitSight requirements for CSP to achieve a "GOOD" grade for the record. Using the above GOOD example will only get you a FAIR grade since the algorithm update. Also if you could, provide a GOOD example using a nonce or hash that will meet BitSight requirements as you can't always remove inline scripts or sources as it may impact app performance. 

     

    2
  • Chad Brigance

    +1 on examples that would result in FAIR and GOOD.

    0

Please sign in to leave a comment.