Content Security Policy — Preventing XSS Attacks Client-side

An extra measure to preventing Cross-Site Scripting has now become a standard ready to be implemented. It’s as easy as including a Content-Security-Policy header on your sites

Content-Security-Policy: script-src 'self'; img-src 'none'

With the (example) policy above, external scripts and images won’t be loaded on your site. This new header however doesn’t mean you’re fully protected once you include it; you’ll still want to encode your strings serverside, as you don’t want *any* HTML tags to be injected. Also, older browsers still will be a target as they don’t understand the header (but that on the other hand could be a huge argument to pushing clients towards the newest version of their browser).

Alternatively you can also use a meta tag.

More on Content Security Policy: An Introduction To Content Security Policy →

Published by Bramus!

Bramus is a frontend web developer from Belgium, working as a Chrome Developer Relations Engineer at Google. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Join the Conversation


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.