First time here? Checkout the FAQ!
x
+2 votes
233 views
asked in Web Development by (150 points)  

Content Security Policy (CSP) is promoted as a way to mitigate content injection vulnerabilities including cross-site scripting. When making a website when should a CSP header be included and when is it of no use?

I read https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

which explained what CSP is, but I am still confused as to when to use it.

 

  

1 Answer

+3 votes
answered by (116k points)  

Content Security Policy (CSP) is designed to mitigate when attackers find a website vulnerable to XSS attacks, they have two options of injecting malicious scripts into it:

  • Inline script: when attackers put their code directly into your website’s HTML.
  • Load script from an external domain: when attackers load a script from multiple infected sites and modify the script when they need to. All the changes will be reflected on those sites.

However it could happen to any website, but it is most useful to be implemented when your web pages contain HTML forms for users to submit data but also can be exploited to run the malicious commands on the server.

...