0

I am using server lighttpd/1.4.53. I want to add the HTTP header "Content-Security-Policy" for my server. I have a few questions related to this:

  1. As the documentation of this header suggests, most directives are domain based. For example, Content-Security-Policy: default-src 'self'; script-src *.example.com; Is there a way to make this IP based? Or can we make 'self' consider the server's own IP?
  2. How to check the CSP version that is used by the browser and server? Does CSP use the same version as the parent HTTP protocol itself?

Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

Hrishikesh Bawane
  • 149
  • 3
  • 13

1 Answers1

2

most directives are domain based ... Is there a way to make this IP based?

CSP spec does not allow to use IP except 127.0.0.1, see match-hosts section. Although Chrome and Firefox support IPv4 addresses as host sources.

can we make 'self' consider the server's own IP

There is no way to do that. In addition, it is impossible to make an SSL certificate for IP addresses, so HTTPS will not work.

How to check the CSP version that is used by the browser and server?

Support of directives and features of different versions of CSP is being implemented by browsers gradually. Therefore, there is no clearly defined line between CSP2 and CSP3 browsers.
Some browsers partially support CSP3, but have not implemented some elements of CSP2.

Does CSP use the same version as the parent HTTP protocol itself?

There is no any relation between HTTP protocol and CSP version.

granty
  • 7,234
  • 1
  • 14
  • 21
  • Thanks. So do we need to worry about if the CSP versions of server and browsers match? – Hrishikesh Bawane Oct 07 '21 at 12:25
  • 1
    Server does not have CSP version, it just send a string of CSP header (exactly what you wrote there). Some browsers can to not understand some directives/tokens in this header. For such cases CSP can be made in browser backward compatibility mode. – granty Oct 07 '21 at 12:40
  • It is possible to make an ssl certificate for IP addresses. Please check stack overflow post regarding the same: https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name#:~:text=The%20answer%20is%20yes.,authority%20rather%20than%20the%20technology. – Prashant Biradar Sep 01 '22 at 14:42