Shield Your ASP.NET MVC Web Applications with Content Security Policy (CSP)

Shield Your ASP.NET MVC Web Applications with Content Security Policy (CSP)

One single vulnerability is all an attacker needs.”

–  Window Snyder

Hackers are everywhere today. The world wide web is also a place for worldwide vulnerabilities. In order to safeguard your application, you need a powerful mechanism. In that case, Content Security Policy (CSP)  is at your service with some excellent features.

In this blog post, we will see how to implement CSP in ASP.NET MVC web applications!

Overview

CSP is used to protect your web application. It safeguards it by identifying some types of attacks like cross-site scripting (XSS) and SQL or data injection attacks.

Note: In CSP, some browser features are disabled by default.

If we want to apply CSP to our application, we have to define some CSP content security directives in the desired Content-Security-Policy headers or in the <meta> tags.

When a resource doesn’t match with the defined policy directives, then it won’t be loaded by the browser (scripts and styles from a third-party).

So if a policy restricts images means, then the browser will prevent images from loading when a page contains an <img> tag with a third-party origin in the img src attribute.

All latest versions of browsers Chrome, Edge, Firefox, Opera, and Safari provide support for CSP.

Topics to be covered

Policy directives

The CSP is used to restrict unauthorized third-party content resources. There are many directives available for a source (application). Once Content-Security-Policy headers are included in your application, the browser will reject any other content from sources that are not explicitly included or pre-approved using any of the directives.

You can add the directives in your ASP.NET web application’s HTTP response header GUI in the IIS manager or add the following to your Web.config file.

 

<  httpProtocol >
    <  customHeaders >
       <  add name="Content-Security-Policy" value="default-src 'self'" />
     </  customHeaders >
</  httpProtocol >

 

The following are some of the policy directives:

default-src

default-src is used as a fallback if the directives (object-src, img-src, etc.) are not specified. Then, the default-src content policy will be applied for source directives.

  • Use default-src ‘self’ to allow content from the current origin.
  • Use default-src ‘none’ to block everything that’s not added (pre- approved).

Example:

<add name="Content-Security-Policy" value="default-src 'self'" />

 

script-src

script-src is used to pre-approve script sources.

  1. Use script-src ‘self’ to allow scripts from the current origin.
  2. You can pre-approve your scripts using script-src ‘https://www.example.com/scripts/*’. It will allow domain scripts in this URL.
  3. script-src ‘*.googleapis.com www.example.*’ is used to allow all domain scripts.
  4. Specify unsafe-eval to use eval () methods for creating code from strings.
<add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline' 'unsafe-eval' 'https://www.example.com/scripts/*' '*.googleapis.com https://www.example.*’ " / >

      5.script-src ‘unsafe-inline’ is used to allow inline scripts. In this, you can write <script> </script> directly in the view. Don’t use inline script in your application directly. If you want to use inline script, you should use nonce to avoid security vulnerabilities.

<script nonce="r@nd0m">
	doWhatever();
</script>
<add name="Content-Security-Policy" value=" script-src ‘r@nd0m’" />

Nonce browser support
The nonce directive is supported from CSP Level 2. It is supported by Chrome and Firefox after the version published in 2015, Safari 10+ or Edge 15+. It’s not supported in all Internet Explorer versions; you need to use the Edge browser for nonce support instead of Internet Explorer.

 

style-src

style-src is used to pre-approve the CSS stylesheet sources.

  1. Use style-src ‘self’ to allow stylesheets from the current origin.
  2. You can pre-approve your styles using style-src ‘https://www.example.com/styles/*’. It will allow domain styles in this URL.
<add name="Content-Security-Policy" value=" style-src 'self' 'https://www.example.com/styles/*’ " / >

 

object-src

object-src allows sources for the <object>, <embed>, and <applet> tags. You can specify object-src ‘none’ to prevent loading all URL sources.

<add name="Content-Security-Policy" value="object-src 'none'" / >

 

作者:Chuck Lu    GitHub
posted @   ChuckLu  阅读(73)  评论(0编辑  收藏  举报
相关博文:
· Content Security Policy (CSP)
· Secure Code Warrior C# Basic OWASP Web Top 10 2017 5: Broken Access Control, 6: Security Misconfiguration and 7: XSS vulnerabilities
· 安全 – CSP (Content Security Policy)
· CSP: Content-Security-Policy详解应对XSS攻击
· 前端安全配置xss预防针Content-Security-Policy(csp)配置详解
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
历史上的今天:
2021-10-12 SQL Server Pre-Login Handshake Acknowledgement Error [duplicate]
2019-10-12 HearthBuddy中的class276中的地址对应
2019-10-12 HearthBuddy的class276以及class247
2019-10-12 CheatEngine查看PE header
2019-10-12 dump文件
2018-10-12 ASP.NET Session and Forms Authentication and Session Fixation
2018-10-12 asp.net下的cookieName
点击右上角即可分享
微信分享提示