Content Security Policy, a.k.a CSP, is a native Browser functionality that allows communication only with permitted resources.
Code Defender CSP gives you control over the resources (such as domains) the browser is allowed to communicate with or load resources from.
During Mitigation, Code Defender updates the policy to restrict the blocked resources, and the browser blocks all communication with the restricted resource.
This stops attackers from using code injection attacks and Magecart attacks to manipulate your site.
CSP is supported on the following PerimeterX Enforcers:
- NodeJS Express
- Akamai ESI
For details on installing CSP on your Enforcer, contact PerimeterX Support
Code Defender CSP is applied per application on your site.
Code Defender CSP is managed in the Settings tab of the Code Defender console.
Blocking and Unblocking is done in the [Dashboard]((https://console.perimeterx.com/codeDefender/dashboard) and the [Analyzer]((https://console.perimeterx.com/codeDefender/analyzer) tabs.
When CSP is configured on an application, it will be in one of three states:
When CSP is Disabled on an application, no headers are passed and no action is taken on incoming data.
- From the Application drop-down, select which application the CSP will be applied to
- Enable CSP to transition the CSP Application State from Disabled to Monitoring
This takes a few minutes, at which time no other actions can be taken.
The CSP Application State in the Dashboard shows the status as In transition
Click Details for more information on status of the application state
After the tuning process in complete, the CSP Application State will be Monitoring
Transitioning to Monitoring enables the CSP on your site. All domains/activities are allowed by the CSP. The
Content-Security-Policy-Report-Only header is passed. The header sends a report to the Code Defender CSP backend. This report helps fine-tune the CSP. In the Audit Logs tab of the Code Defender console you will see the specific operation (CSP state changed to Disabled/Monitoring/Mitigation).
[Report Only] prefix in the report indicates the violation originated from the
Content-Security-Policy-Report-Only header, and that the action was not blocked.
When the CSP is in Monitoring mode, activities can be Blocked from both the Dashboard and Analyzer tabs. The blocked incident is listed in the Blocked Incidents list in the Dashboard and Analyzer. New incidents interacting with a blocked domain will not appear in your Incidents list.
When the activity/incident is blocked, the application's CSP state is automatically transitions from "Monitoring" to “Mitigation”.
When the application finishes transitioning to Mitigation mode all site interaction with the incident's origin domain are blocked.
In Monitoring mode, you can also Disable CSP.
When an action on the site violating the
Content-Security-Policy is detected, the action is blocked by the browser and a report is generated in the console.
Content-Security-Policy and the
Content-Security-Policy-Report-Only headers are passed.
In Mitigation Mode the policy is enforced for all users to make sure not even one instance of the blocked network action is successful.
CSP is applied on your site per Application. When one or more (but not all) application on your site is in Mitigation mode, the CSP Application State is in Mitigation mode in a Combined state. Expanding the CSP Details shows CSP status of all the applications on the site.
Moving the application back to Monitoring unblocks all domains interacting with the application.
Unblocking a specific domain allows incidents interacting with the domain access to your site.
Updated 5 months ago