Content Security Policy — Preventing XSS Attacks Client-side

An extra measure to preventing Cross-Site Scripting has now become a standard ready to be implemented. It’s as easy as including this header in your sites

Content-Security-Policy: script-src 'self'; img-src 'none'

With this, external scripts and images won’t be loaded on your site. This new header however doesn’t mean you’re fully protected once you include it; you’ll still want to encode your strings serverside, as you don’t want *any* HTML tags to be injected. Also, older browsers still will be a target as they don’t understand the header (but that on the other hand could be a huge argument to pushing clients towards the newest version of their browser).

More on Content Security Policy: An Introduction To Content Security Policy →

Published by Bramus!

Bramus is a Freelance Web Developer from Belgium. From the moment he discovered view-source at the age of 14 (way back in 1997), he fell in love with the web and has been tinkering with it ever since (more …)

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.