Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do I need CSP for a Web API?

I'm pretty new to web development and just about understand how a Content Security Policy (CSP) can be used to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. This makes sense to me for a Web App issuing web pages. Would I still need to implement CSP for a Web API that just responds with data (json, xml etc.)?

like image 347
James B Avatar asked Jun 08 '17 14:06

James B


People also ask

Does API need Content-Security-Policy?

The content security policy (CSP) is an added layer of security that detects and mitigates certain types of attacks, including cross-site scripting and data injection attacks. You can add CSP directives to the Decision Center REST API by inserting the restapi. csp property into the server's virtual machine argument.

Should I enable CSP?

When to Use CSP. In general, complex web applications are more sensitive to XSS, making CSP important to use. Use CSP for any application that manages sensitive data, such as administrative user interfaces, device management consoles, or any products hosting files, documents or messages created by users.

Why do we need CSP?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

Which API is used for content security?

Azure API Management support for Content Security Policy is now generally available for both the developer portal and the self-hosted portal. This support enhances security and removes the need for custom functionality in the self-hosted portal.


1 Answers

When in doubt, I look at what websites with a decent security track record do. For example, Github seems to serve up some of their API responses with a pretty strict CSP:

Content-Security-Policy:default-src 'none'
like image 94
twelve40 Avatar answered Sep 22 '22 05:09

twelve40