Content Security Policy

来自WHY42
Riguz讨论 | 贡献2024年1月9日 (二) 01:22的版本 (创建页面,内容为“Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. To enable CSP, you need to configure your web server to return the <syntaxhighlight lang="bash" inline>Content-Security-Policy</syntaxhighlight> HTTP header. (Sometimes you may se…”)
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header. (Sometimes you may see mentions of the X-Content-Security-Policy header, but that's an older version and you don't need to specify it anymore.)

Alternatively, the <meta> element can be used to configure a policy, for example: 

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; img-src https://*; child-src 'none';" />


取自“https://riguz.com/index.php?title=Content_Security_Policy&oldid=3873