KnowledgeShop

Learn & Share

Web Security

Vulnerabilities

XSS (Cross Site Scripting)

  • e.g., an input field allowing JS code like <script>alert('hello')</script>

How to prevent?

HTTP Security Headers

Content-Security-Policy

  • used to prevent cross site scripting by specifying which resources are allowed to load
  • it is enabled by setting the Content-Security-Policy HTTP response header.
1
2
3
4
5
6
7
8
9
# Default to only allow content from the current site
# Allow images from current site and imgur.com
# Don't allow objects such as Flash and Java
# Only allow scripts from the current site
# Only allow styles from the current site
# Only allow frames from the current site
# Restrict URL's in the <base> tag to current site
# Allow forms to submit only to the current site
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';

References