AccueilGlossaire › CSP (Content Security Policy)

CSP (Content Security Policy)

Sécurité

Header HTTP restreignant les sources autorisées de scripts, styles, images pour prévenir XSS.

CSP (Content Security Policy, W3C) est un header HTTP réponse permettant au site de déclarer quelles sources de contenu (scripts, stylesheets, images, fonts, frames, etc.) sont autorisées à se charger sur la page. Défense en profondeur principale contre Cross-Site Scripting (XSS) et data injection attacks.

Format : `Content-Security-Policy: directive source-list; directive source-list; ...`

Directives principales :
(1) **default-src** — fallback pour tous types ressources.
(2) **script-src** — JavaScript sources (le plus critique).
(3) **style-src** — CSS sources.
(4) **img-src** — images.
(5) **font-src** — fonts.
(6) **connect-src** — XHR, fetch, WebSocket, EventSource.
(7) **frame-src** / **frame-ancestors** — iframes (frame-ancestors remplace X-Frame-Options).
(8) **object-src** — plugins (Flash, etc. — usually 'none').
(9) **base-uri** — <base> element URL.
(10) **form-action** — form submission URLs.
(11) **upgrade-insecure-requests** — auto-upgrade HTTP→HTTPS.
(12) **report-uri / report-to** — où envoyer reports violations.

Source keywords : 'self' (same origin), 'none', 'unsafe-inline' (avoid !), 'unsafe-eval' (avoid !), 'strict-dynamic', nonce-XXX, sha256-XXX, https:, *.example.com.

Exemple strict CSP :
```
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-randomXYZ' 'strict-dynamic';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https://cdn.example.com;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
upgrade-insecure-requests;
report-uri https://report.example.com/csp
```

Strict CSP (Google recommendation) : utilise nonces ou hashes + 'strict-dynamic' instead of allowlist URLs (which often bypassable via JSONP endpoints, AngularJS dom-clobbering, etc.). Much more secure.

Deployment strategy :
(1) **Report-only mode** : `Content-Security-Policy-Report-Only` pour tester sans enforcer.
(2) Analyze violations reports via report-uri endpoint.
(3) Fix legitimate violations (move inline scripts to external, add nonces).
(4) Switch to enforcing mode.
(5) Iterate strengthen policy.

Tools : (1) **CSP Evaluator** (Google) — analyze policy strength ; (2) **Report URI** (commercial) — collect/analyze reports ; (3) **Sentry** — CSP report integration ; (4) **Mozilla Observatory** scan headers.

Limitations : (1) **complex to deploy** for legacy apps avec inline scripts/styles spread ; (2) **third-party widgets** (analytics, ads) often require allowlist ; (3) **subtle bypasses** known (script-src whitelist often defeated). Compétences Security+, CISSP, OSCP.

Certifications qui couvrent ce concept
Security+ AZ-500 CISSP OSCP
Termes liés
XSS Protection (Cross-Site Scripting) SRI (Subresource Integrity) HSTS (HTTP Strict Transport Security) CORS (Cross-Origin Resource Sharing)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire