0

I need high security for my app, so I have to add security headers for my views. However, I'm not entirely sure I understood the CSP header correctly (specifically its parameters). Is my combination safe and provides high security against XSS? Can I be sure that no one will replace the action in the form and will not perform clickjacking and send the user's data from the form to himself using AJAX?

My CSP: default-src: 'self'; object-src: 'none'; script-src: 'self'; style-src: 'self'; img-src: 'self'; connect-src: 'self'; media-src: 'none'; frames-src: 'none'; sandbox allow-same-origin; child-src: 'none'; form-action: 'self'; base-uri: 'self';

What are additional CSP parameters that I can add to provide better security?

Szyszka947
  • 351
  • 1
  • 10
  • 1
    frames-src does not sound familiar, did you mean frame-ancestors? Note that you can break functionality of the site by using directives without testing. Set the most restrictive policy you want in report only mode, test it, and go from there to find the right security settings for your content needs. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP has excellent instructions. – postoronnim Nov 21 '22 at 17:08
  • 1
    it's called frame-src, not frames-src. – Yogu Nov 21 '22 at 17:25
  • I know I can break functionality, but the only endpoint where I add security headers returns login form. That's why I don't care about functionality, but about the highest security. – Szyszka947 Nov 21 '22 at 18:24
  • 1
    If it's a login form then it looks fine, except you need frame-ancestors: none to prevent framing by other sites. – postoronnim Nov 21 '22 at 18:51
  • Does this answer your question? XSS prevention through Content Security Policy TLDR: CSP eliminates many XSS attacks, but some still remain possible. – mentallurg Nov 21 '22 at 20:34

0 Answers0