Brands
All catalog
Appliances
Appliances
Audio
Audio
Books
Books
Clothing
Clothing
Computers
Computers
Footwear
Footwear
Jewelry
Jewelry
Musical instruments
Musical instruments
Watches
Watches
Appliances1 product

Sign up to shop, track orders, and enjoy personalized discounts and points.

Sign up
Enter
Compare0
0
Wishlist
0
Cart
+1 (800) 000-0001
+1 (800) 000-0001
The call is free
+1 (800) 000-0002
Sales Department
+1 (800) 000-0003
Technical support
Request a call
E-mail
[email protected]
Address
1, Place Ville Marie, Montreal Quebec, Canada
Working mode
Mon—Sat 08:00 – 18:00
Request a call
Cavalerie
Web Media
Brands
All catalog
Appliances
Appliances
Audio
Audio
Books
Books
Clothing
Clothing
Computers
Computers
Footwear
Footwear
Jewelry
Jewelry
Musical instruments
Musical instruments
Watches
Watches
Appliances1 product

Sign up to shop, track orders, and enjoy personalized discounts and points.

Sign up
Enter
Compare0
0
Wishlist
0
Cart
  1. Home
  2. ilolgostore
  3. How can a lack of CSP harm a website?

How can a lack of CSP harm a website?

How can a lack of CSP harm a website?

Let's say you have a website where you advertise to users and earn money honestly. And everything is going well until users whose browsers are infected start visiting you. An infected browser will replace the advertising on your site with its own and show it to the user. The result: Pessimism on the part of search engines and a drop in revenue. If you implement a CSP policy on your site, other people's ads will no longer be presented to the end user, because the server from which the ad will try to load is not whitelisted. So now everything will be fine!

The application allowed us to configure a CSP security policy for the website, for the store, the blog, the hub in a form accessible to the user. The W3C is now with the "Content Security Policy Level 2" specification.

Application features: Control of the sources of styles, scripts, images, fonts, video and audio files, etc. on the site. Control over the sending of data to other sites, including logins and passwords by analyzing the reports of blocking of this or that resource, We can detect malicious code on the pages that has been introduced by attackers ;)

The application does not make any changes to the html code, but only generates a header transmitted by the server to the browser.

The application integrates automatically only with the applications / regulations "Site", "Shop", "Blog", "Photos", in the main template file (index.html) the other applications must add the code...

Three years ago, the Foundation of several major popular browsers, such as Mozilla, developed a new security policy standard that prevents XSS attacks and other types of related attacks by prohibiting the loading and execution of scripts from prohibited resources. It is called Content Security Policy (CSP), which means "Content Security Policy".

At the time of writing, the CSP standard is in the Candidate Recommendation status, which means that the consortium could adopt this standard in the future by the W3C. At the moment, all popular browsers support this standard.

Now, a little more theory, and then immediately move on to practice, patience! 😉

The CSP reacted adequately. That is, Downloaded the image and executed javascript online, but at the same time told us in the console "AY-bo-Boy!" , namely: stated that there were two violations.

Now, let's change the title from Content-Security-Policy-Report-Only to Content-Security-Policy and see what happens: that is, let's try to run an online script and download an image from a third-party host. And let's see how our brave defender will react: the Online script has not been executed, and the image has not been loaded. Cool, right?

Now you can experiment on your own. The two panels in which we have examined the guidelines and the keywords to specify the hosts, will be useful to you. Try replacing 'self' with: https://ilolgostore.com / and see what happens — the image will be able to load, since its server has been whitelisted.

I want to draw your attention that the host is desirable to specify with the protocol, because otherwise the protocol will be taken from the current host. For example, if you specify the host as ilolgostore.com and your server is running on https, then the whitelist will be https://ilolgostore.com/...

Processing of reports

The beauty of this policy is that in addition to blocking, we can also collect infringement reports!

Remember in the example in the http header, we specified the report-uri URL http://localhost/csp/collector .php to reset the reports?

Since it is not difficult to guess, all violation reports will be sent to this url.

This is what the violation report looks like (in JSON format): With this report you can do anything, for example save to the database, send to mail. I suggest saving all violations in a csv file. Let's do it!

Create a collector file.php and write the following lines in it: now refresh the page again and look in the directory http://localhost/csp /.

You should have a report file.csv with two lines of code:

Yippee! ... We took the violation report and saved it to the file. You can show this file to your friends and the best thing is to start implementing CSP on your site, first in test mode, then in "combat" mode. During the testing phase, the report will help you analyze which guidelines respond to violations and adjust them accordingly.

How can a lack of protection against DDoS attacks harm a website? read more...

**************************************************

Thank you to the Russian Federation (The tug of war of the web) for allowing us to protect our work with the best technologies!

Tags: CSP web security, website security requires vigilance, websites security
Comments1
Yvon-Daniel
Yvon-Daniel
May 25, 2024 18:36
Ici on joue pas aux dames. On joue aux échecs!
Marbre-Text-footer-01