I'm pretty new to web development and just about understand how a Content Security Policy (CSP) can be used to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. This makes sense to me for a Web App issuing web pages. Would I still need to implement CSP for a Web API that just responds with data (json, xml etc.)?
The content security policy (CSP) is an added layer of security that detects and mitigates certain types of attacks, including cross-site scripting and data injection attacks. You can add CSP directives to the Decision Center REST API by inserting the restapi. csp property into the server's virtual machine argument.
When to Use CSP. In general, complex web applications are more sensitive to XSS, making CSP important to use. Use CSP for any application that manages sensitive data, such as administrative user interfaces, device management consoles, or any products hosting files, documents or messages created by users.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Azure API Management support for Content Security Policy is now generally available for both the developer portal and the self-hosted portal. This support enhances security and removes the need for custom functionality in the self-hosted portal.
When in doubt, I look at what websites with a decent security track record do. For example, Github seems to serve up some of their API responses with a pretty strict CSP:
Content-Security-Policy:default-src 'none'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With