Content security policy is a mechanism in which we can restrict sources of where content is loaded to reduce the attack surface of possible xss and detect it.
I suggest that we only load scripts and other static resources from a specific subdomain (cdn, user-profile, etc) and lock down on other features we don’t need, like base tags. Additionally, we need some kind of endpoint to log csp violations too.
Content security policy is a mechanism in which we can restrict sources of where content is loaded to reduce the attack surface of possible xss and detect it.
I suggest that we only load scripts and other static resources from a specific subdomain (cdn, user-profile, etc) and lock down on other features we don’t need, like base tags. Additionally, we need some kind of endpoint to log csp violations too.
Reference: https://www.lunasec.io/docs/blog/csp/ https://content-security-policy.com/