Whether you have a simple WordPress blog or a highly-customized Magento Ecommerce site, security should always be a top concern. We have discussed various security tactics previously, but a recent development that has made a big impact in the web security world deserves further attention: Content Security Policies (CSP).
What is a Content Security Policy?
In simple terms, a CSP is a method to instruct browsers what to display on the site in explicit terms. As an example, a website has set its CSP to allow only Javascript files from itself and google.com will reject any Javscript files hosted elsewhere. Similarly, this can be done for all sorts of assets on the sites like images, fonts, styles, and a number of other resources. A full list can be found here and other places.
In addition to domains and locations, a CSP can specify if inline styles and scripts are allowed or if those resources can only be served from separate files. Since this is a relatively new and evolving technique increasingly sophisticated methods of content security are being introduced.
What is the advantage of using a Content Security Policy on my site?
The primary advantage of using a Content Security Policy is its very solid protection against malicious content introduced into a site. For example, a very widespread Magento hack known as Magecart adds a Javascript file hosted elsewhere to the Magento checkout page that intercepts credit card details and sends them to a third party site. This can occur if a Magento site is hacked and the hacker has access to the HTML header or footer on the site through the Magento store admin. With a CSP in place that specifies the origin of Javascript files this malicious file will not be loaded and no credit card information can be stolen.
This can be applied to simple blogging sites as well. Another typical hack could involve altering all links on a site to go to some third party site for malicious reasons. A CSP specifying the allowed domains for links would not allow the hacked links to go to the malicious third party domain.
What are possible disadvantages to a Content Security Policy?
While a CSP will undoubtedly make a site more secure, it will also require some extra thought and consideration when working on a site. For example, if a new plugin installed on a WordPress site loads legitimate Javascript files from a domain not specified in the CSP the plugin will likely not work and the site may even crash. Thus when using an active CSP it is even more important to test every new feature on a development site.
How do I set up a Content Security Policy on my site?
While there are certain WordPress plugins that can add CSPs to a WordPress site, we’ve found those to not work very well and are not nearly as secure as having a qualified developer set one up at the server level. It definitely requires testing to make sure all legitimate assets are loading correctly and no site functionality is lost.
Despite the additional overhead a CSP may incur, it is a very useful security tool that is increasingly becoming standard practice. That additional work on your site may prove to be very important some day.