Intro: Problem of the Permission-less Web

Content-Security-Policy (CSP) is a way to introduce permissions to the web – which is a permission-less by default platform. If you are not setting a proper CSP – your website / webapp stays fully open . It can (by default) send requests to any server in the world, get embedded in any site, or load a script from anywhere.

This provides a lot of flexibility to ship sites fast and have a wide array of external code be easily embeddable in your site. In a modern site, over 70% of the code is not written by the developers, but by 3rd parties / open source developers.

However, since each one of these resources is also acting in the permission-less environment, they each inherit the ability to do anything in the site / webapp – incrementally increase the risk breaches.

A typical site loads assets from dozens of different origins and creators

Note that this open nature of the web architecture was created back in the day that the only thing you could do in a browser was reading some content – so it did not make sense to invest in security at the time.
Yet today – web applications involve highly sensitive transactions via your users’ browser on an ongoing basis. A few examples:

  • Managing sensitive personal information and transaction with online banking / health / insurance.
  • Sending and receiving countless work and personal emails / chat messages.
  • Interacting with maps and sharing location specific data.
  • Using countless online SaaS products that run in your browser.
  • Shopping with your credit card in e-commerce businesses.

The lack of strong security measures and restrictions makes these activities highly susceptible to a wide array of cybersecurity threats – around 50% of all root-causes of security incidents.

It’s impossible to start over and build the web with sane defaults fitting to today’s use cases. Over the years however, the W3C – together with the browser makers, have added these missing security / permissions controls via Security Headers that are served via HTTP headers of the web protocol.
These headers add powerful and flexible security enhancements tackling the various risks, and Content-Security-Policy (CSP) is probably the most important one – tackling permissions of what can be loaded in any web page, and where it can be loaded.


What is Content Security Policy?

The CSP is a standardized allowlist protocol that allows the developer (or operator) to instruct the browser on what is considered allowed for this website / webapp.
Let’s take an example OWASP’s recommendation of how to defend against Clickjacking:
The main method is setting the frame-ancestors directive of the CSP, that defines where the site can be embedded (as a frame). The below instructs the browser to prevent loading iframes that are not on the same origin (self), or on the specific subdomain of an allowed site.

Content-Security-Policy: 
      frame-ancestors 'self' https://sub.site-i-allow.com;
      report-uri https://gate.rapidsec.net/g/r/csp/YOUR_SPECIFIC_PROJECT_DETAILS

This simple mechanism closes the attack surface on the ClickJacking attack as framing the site anywhere on the internet becomes forbidden. Moreover, when any attempt to frame the site, is blocked by the CSP – a report will automatically be sent to the report-uri (in this case RapidSec), that can shed light on the attack. Basically this is a built-in telemetry, that when used correctly – can alert on attacks / breaches in real-time.

CSP has many other directives, with different use-cases – such as script-src that defends against XSS, form-action blocking formjacking. When combined correctly – this directives offer best-in-class protection against many common threats.


Driving forces of CSP adoption for Web Security Posture

In the recent years, adoption of Content-Security-Policy has increased significantly, due to the standardization of CSP and several powerful regulatory / industry forces demanding websites use this mitigation technique. Security assessments and checklists of all kinds check that you are properly managing content security policies on all your web assets:

1. Auditors requiring to see CSP headers

The PCI Standards Security Council requires CSP usage to mitigate JS supply chain attacks / Magecart:

“Third party scripts should be monitored to detect changes and the changes be reviewed to identify any potentially malicious code before implementation. Using content security policies (CSP) to restrict compliant browsers from executing JavaScript from sources which have not been explicitly whitelisted is an added protection that should be incorporated.”

The threat of online skimming to payment security

And we can see that many PCI-DSS auditors are checking for CSP deployment, with the need to show retroactive evidence of proper usage:

As a PCI DSS assessor, I may be asking questions about where your CSP headers exist in your next assessment!

CSP & Security Headers Requirements ~ Truvantis

2. CSP in Penetration testers’ checklist

Web application vulnerabilities are by-far the most critical and frequent finding across penetration tests in all sectors, as can be seen in this report:

In 77 percent of cases, local network penetration vectors involved insufficient protection of web applications.

Penetration testing of corporate information systems: statistics and findings in 2020

Many companies decide to implement Content-Security-Policy (CSP) and other security headers after having them as the remediation recommendation in the penetration test results.

3. Graders penalizing “Content Security Policy (CSP) Missing”

SecurityScorecard score reduction for lack of Content-Security-Policy setting

Risk assessment platforms like SecurityScorecard have made companies’ security posture public, and subject to automatic, ongoing scanning of your companies assets.

Your grade on these scanners now holds a significant portion of the enterprise vendor decision process – and your business cannot afford to have low grades (as this literally loses deals).

* Note: a coming up blog post on our effort at RapidSec to reach a 100 on Security Scorecard, maintaining our own security posture.

4. Legislators moving-target laws

The GDPR, CCPA and other legislation, has flexible language (on purpose) – allowing evolution of standards.

Take for example the CCPA, that requires to use reasonable security procedures and practices.

Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following.

SEC. 11. Section 1798.150 CCPA

But What accounts as reasonable? Until recently, it was very hard to deploy a Content-Security-Policy. Only tech-savvy companies such as Google and Github could utilize dedicated internal security experts, with dedicated infrastructure to use CSP on some of their assets.

Hence, it was reasonable for companies with less resources – not to go this extra mile (of hiring experts), and they could get a pardon on failing to meet this “unreasonable” measure.

Today however, Generating a Content-Security-Policy for your sites can be automatic, and managing your CSP with RapidSec (or some of the WAF providers that have a CSP feature), has become a much more approachable task.

This best-practice enforced approach to Content Security Policy does not require deep expertise / research / your own dedicated infrastructure. In fact – we’ve seen many cases of one Security / IT / DevOps / R&D engineer deploy CSP across dozens of an enterprise’s assets in a single day with RapidSec.

Combined with the affordable pricing for managing CSP, it is now highly reasonable that all companies with PII / sensitive web assets use Content-Security-Policy as an HTTP header on all their assets.

We’ve also seen GDPR breaches fined heavily, for lack of adopting proper standardized security controls. Such as the ICO fining British Airways £20M for data breach affecting more than 400,000 customers (FYI: this fine was significantly reduced from the original £183M fine due to unusual constraints on airlines in the 2020 lockdowns).

Failure to prevent the attack:
There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include limiting access to applications, data and tools to only that which are required to fulfill a user’s role

Lack of awareness of the attack:
ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September.

Note that the ICO clearly specifies two failures – not preventing the attack in the first place with proper mitigation AND having the skimming of PII and credit cards go on for two months!

Had British airways properly utilized a Content-Security-Policy on their site, both of these major infractions would have been solved – avoiding leaking data of 429,612 of their customers and staff, and saving BA from the lawsuit and bad PR.

5. Industry Requirements for Enterprise-ready Products and Services

The Minimum Viable Secure Product (MSVP) was recently launched as a collaboration of Google, Salesforce and other industry leaders – with the aim of providing externally recognized of security baselines to build your compliance efforts.

This minimalistic security checklist for B2B software and business process outsourcing suppliers, is designed with simplicity in mind. The checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture – applicable to RFPs, security self assessments and vendors’ security posture questionnaires.

Google’s experts have been advocating for the usage of Content Security Policy and other Security headers as as an effective measure for years, so it’s not surprising that CSP is a now a formal requirement on this checklist also:

Set a minimally permissive Content Security Policy
This control measures that appropriate browser protections are in place within your product and/or service to protect against common web threats.

Item 2.3 of the MVSP Checklist and FAQ

Benefits of Content Security Policy for Security / Compliance Teams

In addition to getting great security posture – by properly implementing CSP, you will be closing massive attack surfaces that are the most commonly exploited security vectors.
Companies that have deployed CSP have reported to us (RapidSec) a “Noise reduction” in the amount of cybersecurity incidents in their organization.

Example RapidSec Alert when blocking an XSS / Magecart attack via the CSP

Having full monitoring / alerts of violations of your policy in your web assets when leveraging the RapidSec threat detection module – has “been a godsend” quoting one of our customers.

Add to that the added sense of security of finally having control over that endless JS dependency supply-chain!

When done right – implementing CSP across your web assets is definitely the best ROI for your security posture.


Challenges of adopting CSP effectively

Enterprises trying to build their and maintain their Content Security Policies manually tend to encounter the following problems:

  • Requires deep expertise – does your R&D team have time to read the endless documentation on the dozes of directives and controls?
  • Requires dedicated technology – Violation reports to a dedicated CSP report URI. Do you really want to build one yourself?
  • Time consuming – Deployment can take months if you are manually looking into your apps and trying to reverse-engineer their suitable CSPs.
  • Risky when done improperly – there are many measures to take to build a Content Security Policy without breaking your site.
  • Maintain a system of record – Do you register versions of your CSP? When they change? Where they get deployed? These questions will come up in your next audit – so your need proper evidence collection.

As you may have guessed by now, RapidSec provides the best tools in the world to deploy Content-Security-Policy at scale – in any site / company.


Conclusion: Start with CSP now – With RapidSec

It is now a recognized standard that your web asset must use Content Security Policy to mitigate and detect breaches, so why wait to fail your next security posture assessment?
Get started with RapidSec now, and deploy assessment-ready CSPs in no time:

Book a Demo with RapidSec experts

Learn how to you can level up your security posture with automatic CSP deployment. You can also Schedule on Calendly directly.

or Sign up for a free RapidSec Trial

Go through the steps to launch CSP independently – we really make it easy!


Any questions? Reach me @Shai_Alon , or Contact us