2

Content-Security-Policy header seems to be a great way to make websites more secure. However we tried to find any large website that is using this header and we didn't find any single one, unlike many other security related headers. That is strange and I would like to know if there any problems (caching, bugs etc) that may be caused by this header.

user1224129
  • 2,759
  • 3
  • 27
  • 29
  • 1
    [Twitter uses CSP.](https://blog.twitter.com/2011/improving-browser-security-csp) – Gumbo Jan 26 '14 at 03:38
  • Yes, its safe to use CSP. CSP-aware browser will enforce the policy. Non-aware browsers will silently ignore it. Aware browsers include Chrome version 25 and later and Firefox version 23. OWASP has a page dedicated to [Content Security Policy](https://www.owasp.org/index.php/Content_Security_Policy). – jww Jan 26 '14 at 09:54
  • To get a real advantage out of CSP you have to forbid code using eval, script inside HTML attributes etc. Because these insecure constructs are widely used, lots of web applications would need to be rewritten to get the security advantage of CSP. This will cost time and money and thus most companies just get the cheap way and hope that nobody finds the bugs. And of course, as long es IE does not support full CSP the security advantage might not be big enough :( – Steffen Ullrich Jan 26 '14 at 19:04
  • As far as I know twitter uses CSP only at their mobile version. Probably they had a fresh start there and could design the site with CSP in mind. – Steffen Ullrich Jan 26 '14 at 19:09
  • Yes it is safe, although be aware that any unsupported browser will not have the protection that CSP offers. The risk is your site may be vulnerable in older browsers. You could perhaps detect this and show a warning message that a browser upgrade is recommended to stay safe. – SilverlightFox Feb 03 '14 at 18:10
  • I think the question should be "Is it safe to not have a CSP?" And the answer is a strong no, you need a CSP. – rook Sep 05 '16 at 12:53

1 Answers1

2

Yes, CSP is safe, but you cannot rely on it alone.

CSP will make XSS attacks very difficult (though not impossible) against visitors to your site that have browsers that support it.

Lots of browsers don't support it though - IE11 still doesn't, so you still need to strictly manage any user input displayed or echoed to limit your risk.

Implementing CSP in an existing application can be very painful, to get the full benefit you are stopped from using inline CSS and Javascript. This in turn breaks lots of libraries and frameworks - for instance Modernizer breaks with CSP on.

For this reason it isn't widely used yet.

Community
  • 1
  • 1
Keith
  • 150,284
  • 78
  • 298
  • 434