Tuesday, August 23, 2022

Content Security Policy CSP In or Out

Content Security Policy Script-src is something that tech lead or developer might have come across . This is one of the most common low security vulnerability defect raised by external penetration tester. They might suggest to whitelist Js library or third party libraries to safe guard against XSS attack. 

CSP protect from XSS


Well if you are working on .Net the only option you have is to add custom response header in Web.config file and list all JS. But here is the catch if you working with third party analytics this become tricky. There is a constraint and challenge to do so. Per say, these analytics injects lot of js libraries at runtime. It can be facebook , google tag manager, live person, social media plugins or advert. This is where one needs to draw line and give business technical reason why this cannot be achieved. Next stuff is browser compatibility. Under the hood testing will become exhaustive and chances are these are prones to more defects that leads to unknowns while move to production. Next time you come across CSP , think twice do your thorough research before you commit something. 

No comments :