We have been using Mozilla observatory grading to nudge us to improve our webserver configurations; make them more secure. We can put additional headers in apache/nginx/IIS to obtain a grade B but more effort is required with the Content Security Policy. CSP is for controlling script origins and mitigating XSS (cross site scripting), clickjacking, and content injection attacks.
So fundamentally you have to state the origin of all scripts, media, analytics, centralised login.
Fortunately you can get help by having the header report what you are using that needs explicit permitting. It will report by posting to a JSON string to a URL.
CLAUDE !
So claude looked up the information about this at Mozilla Observatory and on its own initiative designed this tool.
So it lists the potential violations as they come in.
It’s early days but a fine example of Claudes prowess. There are other open source tools you can find to do this and Sentry can handle it also.
So a few pointers to what is going on. In your apache config file for your website you would have a header like this:
add_header Content-Security-Policy-Report-Only "default-src 'self'; report-uri https://yourcspcollect.example.com/csp-report";So this will permit self sourced content but report evrything else as potential violations. One by one you can allow them by extending your header. Although you you could allow your own scripts with ‘script-src ‘self’ ‘unsafe-inline’ to your Content-Security-Policy header it certainly not recommended. You have to give tags to your scripts, referred to as Nonces, and state what nonces are allowed in your header.
<script nonce="abc123">
// your inline trusted JS
</script>
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'
Anyway its early days for me on this but I hope it was at least it was thought provoking or inspiring if you haven’t looked at it yourself.