A strategy for a Rails Content Security Policy

A Content Security Policy (CSP) is a great way to reduce or completely remove Cross Site Scripting (XSS) vulnerabilities. With CSP, you can effectively disallow inline scripts and external scripts from untrusted sources. You define the policy via an HTTP header with rules for all types of assets.

Here’s an example policy HTTP header to allow assets (scripts, CSS, fonts, images, etc.) only from the default source, which is the same origin (‘self’). Scripts are also allowed from Google Analytics to make the tracking code work. Everything else is disallowed.

Content-Security-Policy: default-src 'self'; script-src 'self' https://www.google-analytics.com;

With 80% browser support, CSP is an important pillar of web application security. Or rather, will be an important pillar because not many have implemented it yet. Mainly because it means you’ll have to move all of your own inline scripts to external files and that can be a bit of work.

So instead of all the CSP details, I’ve written up an introduction strategy for your Content Security Policy. What browsers support it? What are the steps involved? Start with a blacklist or a whitelist? What can I do today if I’ve no time for this?

[Read A strategy for a Content Security Policy on cloudbees]