Content Security Policy (CSP, new) ¶
See also

Définition 1 ¶
Content Security Policy can be thought of as much more advanced version of the X-XSS-Protection header above. While X-XSS-Protection will block scripts that come from the request, it’s not going to stop an XSS attack that involves storing a malicious script on your server or loading an external resource with a malicious script in it.
CSP gives you a language to define where the browser can load resources from.
You can white list origins for scripts, images, fonts, stylesheets, etc in a very granular manner. You can also compare any loaded content against a hash or signature.
Définition Mozilla ¶
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.
With a few exceptions, policies mostly involve specifying server origins and script endpoints.
This helps guard against cross-site scripting attacks (XSS)
Paramètrage Django ¶
Installer django-csp mais seul un expert sécurité peut régler les paramètres.
CSP niveau 1 ¶
CSP niveau 1 permet de spécifier des directives pour les éléments suivants:
-
script-src : les sources autorisées pour les scripts JS
-
styles-src : les sources autorisées pour les styles CSS
-
img-src : les sources autorisées pour les images
-
connect-src : s’applique pour XMLHttpRequest (AJAX), WebSocket ou EventSource
-
font-src : les sources pour les web fonts
-
object-src : les sources des plug-ins (par exemple : <object>, <embed>, <applet>)
-
media-src : les sources pour les balises <audio> et <video>