Reputation: 2779
Is it safe to use Content-Security-Policy Header?
Content-Security-Policy header seems to be a great way to make websites more secure. However we tried to find any large website that is using this header and we didn't find any single one, unlike many other security related headers. That is strange and I would like to know if there any problems (caching, bugs etc) that may be caused by this header.
Upvotes: 2
Views: 1467
Answers (1)
Reputation: 155692
Yes, CSP is safe, but you cannot rely on it alone.
CSP will make XSS attacks very difficult (though not impossible) against visitors to your site that have browsers that support it.
Lots of browsers don't support it though - IE11 still doesn't, so you still need to strictly manage any user input displayed or echoed to limit your risk.
Implementing CSP in an existing application can be very painful, to get the full benefit you are stopped from using inline CSS and Javascript. This in turn breaks lots of libraries and frameworks - for instance Modernizer breaks with CSP on.
For this reason it isn't widely used yet.
Upvotes: 2
Related Questions
- Should Content-Security-Policy header be applied to all resources?
- Allow All Content Security Policy?
- Shall I use the Content-Security-Policy HTTP header for a backend API?
- Why is delivery of Content-Security-Policy via headers "preferred"?
- X-XSS-Protection vs CSP
- Is Content-Security-Policy header applicable only for text/html Content-Type?
- Is there a benefit to adding Content-Security-Policy headers to Javascript resources?
- Content Security Policy - Is it worth it?
- Should Content-Security-Policy header be in every server response or only in text/html?
- Should i set content security policy headers in ajax responses too in single page app?