Content Security Policy (CSP) Header: Onto each file or only the actual HTML pages?

content-security-policy header example
content-security-policy apache
content-security-policy iframe
content-security-policy htaccess
missing or insecure content-security-policy header
content security-policy (csp header not implemented)
set a non permissive content-security-policy frame-ancestors header for all requested resources
because it violates the following content security policy directive: connect-src 'self

I'm currently adding the Content Security Policy (CSP) header to our application. I'm wondering onto which files the header must be attached to. After some research, I did not find a clear answer to it.

Twitter, e.g. only added it to the actual HTML document. Facebook, however, added it to almost every resource and the HTML document (HTML, JS, CSS, etc.).

So, is it necessary to add the Content Security Policy header to each served resource file or only to the HTML document? How does it work with Ajax (JSON content) requests? How does it work with SPAs (only the index.html file or all resources)? I don't want to slow down the page by adding long CSP headers to each file if it is not necessary from a security point of view.


To clarify: Do browser treat images or other non-document resources differently when they come with a CSP header attached?

Content Security Policy (CSP) Header: Onto each , CSP is not intended as a first line of defense against content injection vulnerabilities. New Answer II. Question: To clarify: Do browser treat images or other  Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other client-side attacks. This article shows how to use CSP headers to protect websites against XSS attacks and other attempts to bypass same-origin policy.

Browsers that support the HTTP Content Security Policy response header will prevent images (and other content) from loading for any page where the response header or a meta tag contains Content Security Policy directives that limit the domains considered as valid content sources, require all content to be loaded via HTTPS, etc. Most widely used modern browsers support Content Security Policy and apply it to control the majority of content resources (including images) associated with any HTTP request (except that web worker resource control is not supported in Safari and IE and may not be supported in Edge or Opera).

You can specifically include img-src policy directives in your Content Security Policy to restrict the domains considered as valid sources for images as well as require the HTTPS scheme, etc. There are also specific directives available for a variety of other resources including fonts, frames, media (audio, video, etc), scripts, stylesheets, web workers, etc.

You will either need to include your Content Security Policy as part of the HTTP response header that is returned from your web server as part of each HTTP request where you wish to limit valid content sources or ensure that the requested page includes a Content Security Policy meta tag like...

<meta http-equiv="Content-Security-Policy" content="default-src 'self';">

Note that IE 10+ browsers support Content Security Policy response headers but not meta tags (also there are some specific implementation details you need to attend to if you want to support IE).

Content-Security-Policy, The HTTP Content-Security-Policy response header allows web site For more information, see the introductory article on Content Security Policy (CSP). and favicons. manifest-src: Specifies valid sources of application manifest files. Example: Disable unsafe inline/eval, only allow loading of resources  To enable CSP, a response needs to include an HTTP response header called Content-Security-Policywith a value containing the policy. The policy itself consists of one or more directives, separated by semicolons. Mitigating XSS attacks using CSP The following directive will only allow scripts to be loaded from the same originas the page itself:

slow down the page by adding long CSP headers to each file

Supposedly, with 304 Not Modified status - CSP headers are not being sent - only on initial loading

Content Security Policy | Web Fundamentals, Content Security Policy can significantly reduce the risk and impact of cross-site that a server delivers, CSP defines the Content-Security-Policy HTTP header, which from over HTTPS, as well as from the current page's origin. This directive can't be used in <meta> tags and applies only to non-​HTML  In order to secure the page, change the header back from Content-Security-Policy-Report-Only to Content-Security-Policy and each violation will need to be either recoded for compliance or whitelisted in a policy rule. The tools we will be working with: Content Security Policy Directives. CSP uses several directives for locking down a site.

Using Content Security Policy (CSP) to Secure Web Applications , Content Security Policy (CSP) is a computer security standard that provides an This article shows how to use CSP headers to protect websites file, this will set a default policy to allow only content from the current If needed, you can also provide specific directives at page level using HTML meta tags. Administrator has enabled Content Security Policy (CSP) header to prevent cross site scripting and data injection attacks by disallowing any cross-domain requests. However, due to a new business requirement they need to customize the header to allow web page to load images from any origin and restrict media to trusted providers.

Content Security Policy, Content Security Policy (CSP) is not intended as a first line of defense against need to move all inline script and style out-of-line, for example into external scripts, by supplying a Content-Security-Policy HTTP header or an appropriate HTML meta element. Such policies apply the current document only. The Content-Security-Policy in particular can get quite lengthy. As a lot of the headers relate to the owning HTML page (and the Javascript contained within), I get the feeling most of them need only be set for HTML pages. I've looked at various resources such as: Content Security Policy; HSTS - RFC 6797; X-XSS-Protection; Mozilla Web Security

Content Security Policy Level 3, Likewise, 'self' now matches https: and wss: variants of the page's origin, even on pages A CSP list contains a header-delivered Content Security Policy if it contains a Each violation has a source file , which is either null or a URL . A policy may also be declared inline in an HTML document via a meta  CSP is a powerful mechanism that we strongly recommend. It allows for very fine-grained control. However, creating a good policy (or adjusting your site to work with a good policy) can take some time and effort. To make this easier, it's possible to use CSP in report-only mode. See the following pages for more information: Content Security