What is CSP?
What CSP limitations do I need to be aware of?
What this means is that application development and security teams face a tradeoff between security and functionality of their websites. Whitelisting removes or reduces the very protection CSP is supposed to provide, thereby making the value of CSP inherently questionable. Also threat actors love to circumnavigate CSP in order to steal data, distribute malware, or deface websites.
There are four main weaknesses in CSP that can expose you to e-skimming breaches:
- Excessive “allow list” rules or whitelisting.
- CSP bypass techniques.
- Incorrect CSP implementation.
- CSP implementation tradeoffs.
Is CSP right for me?
Sure. That is, if you have the time and energy to deploy and manage CSP on a continuous basis. CSP is a great way to launch a pseudo Zero Trust approach to protecting your web assets, but, as described earlier, CSP comes with significant risks. CSP is also extremely vulnerable to cross-site scripting attacks. For example, even when CSP is applied, scriptless or post-XSS attacks can still be executed, some XSS vulnerabilities simply aren’t mitigated, and some browsers do not support CSP at all.
So, while CSP can add a level of increased client-side protection, it will only stop a limited number of client-side threats. To learn more about CSP and best-practices to improve your client-side security, check out our white paper.