Content Security Policy (CSP)

Code Defender allows mitigation of malicious incidents by leveraging Content Security Policy (CSP)

What is Contet Security Policy?

Content Security Policy, a.k.a CSP, is a native Browser functionality that allows communication only with permitted resources.

How Content Security Policy works?

Content Security Policy is the name of an HTTP response header sent to the browser. The Content-Security-Policy header allows resources restriction such as JavaScript, CSS, or pretty much anything that the browser loads.

How does Code Defender CSP work?

Code Defender CSP gives you control over the resources (such as domains) the browser is allowed to communicate with or load resources from.

Code Defender CSP uses both PerimeterX Sensor JavaScript monitoring and CSP violations reports to automatically and dynamically build the CSP policy and to keep the Policy up to date in real-time.

During Mitigation, Code Defender updates the policy to restrict the blocked resources, and the browser blocks all communication with the restricted resource.
This stops attackers from using code injection attacks and Magecart attacks to manipulate your site.

Installing CSP

CSP is supported on the following PerimeterX Enforcers:

  • Fastly
  • NodeJS Express
  • Cloudflare
  • Akamai ESI
    For details on installing CSP on your Enforcer, contact PerimeterX Support

Code Defender CSP is applied per application on your site.

Managing CSP on my applications

Code Defender CSP is managed in the Settings tab of the Code Defender console.


Blocking and Unblocking is done in the [Dashboard](( and the [Analyzer](( tabs.

When CSP is configured on an application, it will be in one of three states:


When CSP is Disabled on an application, no headers are passed and no action is taken on incoming data.

Enabling CSP

  1. From the Application drop-down, select which application the CSP will be applied to
  2. Enable CSP to transition the CSP Application State from Disabled to Monitoring
    This takes a few minutes, at which time no other actions can be taken.

The CSP Application State in the Dashboard shows the status as In transition
Click Details for more information on status of the application state


After the tuning process in complete, the CSP Application State will be Monitoring


Transitioning to Monitoring enables the CSP on your site. All domains/activities are allowed by the CSP. The Content-Security-Policy-Report-Only header is passed. The header sends a report to the Code Defender CSP backend. This report helps fine-tune the CSP. In the Audit Logs tab of the Code Defender console you will see the specific operation (CSP state changed to Disabled/Monitoring/Mitigation).
The [Report Only] prefix in the report indicates the violation originated from the Content-Security-Policy-Report-Only header, and that the action was not blocked.


Blocking - Transitioning to Mitigation Mode

When the CSP is in Monitoring mode, activities can be Blocked from both the Dashboard and Analyzer tabs. The blocked incident is listed in the Blocked Incidents list in the Dashboard and Analyzer. New incidents interacting with a blocked domain will not appear in your Incidents list.


When the activity/incident is blocked, the application's CSP state is automatically transitions from "Monitoring" to “Mitigation”.


When the application finishes transitioning to Mitigation mode all site interaction with the incident's origin domain are blocked.


In Monitoring mode, you can also Disable CSP.


When an action on the site violating the Content-Security-Policy is detected, the action is blocked by the browser and a report is generated in the console.
The Content-Security-Policy and the Content-Security-Policy-Report-Only headers are passed.
In Mitigation Mode the policy is enforced for all users to make sure not even one instance of the blocked network action is successful.


CSP is applied on your site per Application. When one or more (but not all) application on your site is in Mitigation mode, the CSP Application State is in Mitigation mode in a Combined state. Expanding the CSP Details shows CSP status of all the applications on the site.


Moving the application back to Monitoring unblocks all domains interacting with the application.
Unblocking a specific domain allows incidents interacting with the domain access to your site.