Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
If the Content-Security-Policy header is present in the server response, a compliant client enforces the declarative whitelist policy. One example goal of a policy is a stricter execution mode for JavaScript in order to prevent certain cross-site scripting attacks.
This library will automatically set the CSP header with the configured directives in every response. Also, Open.ContentSecurityPolicy.Web nuget package helps you when you want to implement CSP in you web applications, containing a tag helper that places the same nonce value in a <script...> or <style...> tags.
3.1 appSettings file
Add the ContentSecurityPolicy element to your appSettings files.
The first children describes the content-security-policy directives that are named following a camel case convention.
"ContentSecurityPolicy": {
...
"DefaultSrc": [ "'{nonce}'", "'self'" ],
"ScriptSrc": [ "'{nonce}'", "'self'", "cdn.js" ],
"FrameAncestors": ["'self'"],
"PluginTypes": ["'self'"],
"ReportTo": ["'self'"],
"NavigateTo": ["'self'"]
...
}3.2 ConfigureServices
services.AddContentSecurity();
//or without appSettings configuration
IReadOnlyCollection<Directive> directives = new Directive[] {
DirectiveFactory.GetDirective(Policy.DefaultSrc, new string[] { "'{nonce}'", "'self'" }),
DirectiveFactory.GetDirective(Policy.ScriptSrc, new string[] { "'{nonce}'", "'self'", "cdn.js" }),
DirectiveFactory.GetDirective(Policy.FrameAncestors),
DirectiveFactory.GetDirective(Policy.PluginTypes),
DirectiveFactory.GetDirective(Policy.ReportTo),
DirectiveFactory.GetDirective(Policy.NavigateTo)
};
//DirectiveFactory has two overloaded methods. When you just need to use 'self' policy in a directive, you can ignore the second argument in the GetDirective method. However, if you must use the second argument to add other policies you need to explicitly add the 'self' policy in order to use it.
services.AddContentSecurity(directives);3.3 Middleware
app.UseContentSecurityPolicy();3.4 Nonce value in script and style tags.
3.4.1 Add web package assembly to your _ViewImports file.
@addTagHelper *, Open.ContentSecurityPolicy.NET.Web3.4.2 Add asp-with-nonce attribute to your script and style tags.
<script asp-with-nonce src="~/lib/jquery/dist/jquery.min.js"></script>That's it 🤷!
(Optional) This package has a default nonce provider. If you want to implement your own, follow these instructions.
(Note)
The tag helper asp-src-include doesn't work very well with custom tag helpers. If you want to add nonce values to your included src files, follow these instructions.
Explanation by example:
- Imagine that you receive the following requirements:
- Web client must receive a CSP response header with,
script-srcanddefault-srcdirectives. - Script-src directive must allow scripts tags that contains a nonce value to run.
- Script-src must allow jquery cdn to run.
- Web client must receive a CSP response header with,