# Security
Table of contents
# Content Security Policy
Content Security Policy (CSP) is a computer security standard introduced to prevent Cross-Site Scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in the trusted web page context. In essence, it's a layer of protection that helps detect and mitigate certain types of attacks, including Data Injection attacks.
CSP works by specifying a list of trusted sources of content on your website. The webserver communicates this list to the browser, which will then only execute or render resources from those sources. This list is specified in a special HTTP header called the "Content-Security-Policy".
Disabling CSP
It's also possible to disable the entire Content Security Policy, but only use this option if you fully understand the consequences.
# Directives
We support multiple directives, the ones supported are listed below. These are specific instructions that can be part of your CSP.
styleSrc: controls which stylesheets the user's browser is allowed to load for the pagescriptSrcElem: specifies valid sources for JavaScript script elements.fontSrc: controls sources for font loading.scriptSrc: specifies valid sources for loading scripts.frameSrc: controls sources for injected frames.imgSrc: specifies valid sources of images and favicons.connectSrc: controls which script interfaces are allowed.reportTo: defines an endpoint to send CSP errors to.
# reportTo Directive
The report-to directive is designed specifically to route all detected Content Security Policy (CSP) errors to a separate endpoint. This feature is particularly useful for centralizing the monitoring of CSP errors, ensuring you stay updated on any issues encountered on the pages your system serves. Errors are sent in JSON format via a POST request, so it's crucial that your system is set up to receive and store these errors effectively.
# How to Set Up the report-to Directive
- Open Novti and navigate to Security > Content-Security-Policy.
- Add a new item.
- Enter a name for your directive, such as
CSP Report Endpoint. - Specify the endpoint URL where errors should be sent.
- Choose the
reportTodirective from the options and click save.
With these steps completed, your system is now configured to collect CSP errors at your designated endpoint.
Loading the image...
NOTE
For more information about the CSP report-to directive please refer to the official Mozilla documentation. (opens new window)
# Hashes
Now, let's talk about generating a hash in the context of CSP. Hashes in CSP are used to allow a specific inline script or style to be executed, while still maintaining protection against unsafe-inline scripts or styles. This is useful when you have a specific script or style that must be inline and you don't want to allow all inline scripts or styles.
To generate a hash, you need to follow these steps:
- Open your web page in a browser. This can be done in preview mode.
- Open the developer tools console. You can usually do this by right-clicking anywhere on the page and selecting "Inspect" or "Inspect Element", then navigating to the "Console" tab. The exact process may differ depending on the browser you are using.
- If your page is trying to run an inline script or style that's being blocked by your CSP, you should see an error message in the console. This error message will tell you that a specific script or style was blocked, and it will give you the expected hash of that script or style. See the image below.
Loading the image...
- Add this hash to your CSP with the right type. For example, if it's a script, you might add it to your 'scriptSrc' directive like this: name:
form io cdnvalue:sha256-T6AAKdWx06p6GZVyzGAJDSLHOoPuuoZ6LlqMX153CvM=type:scriptSrc.
Loading the image...
- After updating the CSP, retry loading your web page. The script or style that was previously blocked should now be allowed to run, as long as you've entered the hash value correctly. To validate the script can be executed as expected please validate the Developers Console and make sure the error message regarding the Content Security Policy disappeared.
← Integrations Privacy →