Make browsers safer using HTTP headers

A while ago, I started investigating Content Security Policy (CSP). Because I had not used it on any projects, I decided to implement it on this website. So recommending it to costumers, would be based on experience. Not just what you read on the Internet.

With CSP you can block or allow resources using HTTP headers. This helps to prevent cross-site scriping (XSS). A nice feature is the ability to simulate and report violations. This way you can detect false positives and fix unintented side effects.

After a couple of weeks running it, I did a talk on the subject at my local PHP usergroup. The slides are available on slideshare. The presentation contains a couple of examples of URIs that get blocked. Mainly because I am not sure were some of them come from. The Chrome/Chromium/Blink team picked this up, because of some Chrome specific examples. This resulted in a bug report. So I am glad that I made my findings public.

Although CSP offers a comprehensive way to use HTTP headers to increase the security in browsers, not all browsers support it.

There are some alternatives you can use to complement CSP:

  1. X-Frame-Options
  2. X-Content-Type-Options
  3. X-XSS-Protection
  4. Strict-Transport-Security

To found out more about these, I recommend reading 4 HTTP Security headers you should always be using, OWASP List of useful HTTP headers and/or watching Browser-side security: Mitigate the risk of XSS.

It will help to make web sites a little bit safer.