Inventory your first and third-party domains
Step one of the CSP journey is having a comprehensive understanding of who has access to your website, and what they’re loading. Often-times the results are surprising! Outside of your expected first-party domains, there is likely a large swath of third-party domains living on your website. These domains serve a variety of purposes – from collecting data to displaying banner ads on your website. Inventorying all these domains for every single page of your site is critical to getting off on the right foot.
Every single page? We know this may seem overwhelming, but this process is important if you want to implement a stricter CSP on your more sensitive pages (checkout, account creation, etc.) as opposed to your home page or blog.
Create the Whitelist
Now that you have taken inventory of all your site’s domains, it is time to create a whitelist. Your whitelist is a compilation of the first and third-party domains that you would like to allow onto your site. Be sure to include the type of resources each of these domains is allowed to load. That will save you time in the build stage.
To visualize this process, we can use Blue Triangle's CSP Manager to identify every resource that the domain bazaarvoice.com is loading:
Then we can go through the approval process here:
Remember, you don’t have to treat the whitelist as if it is the sole determinant for what is allowed on all pages on your site. Consider having a whitelist for the most sensitive areas of your site, and one for all others. Meaning, that the whitelist on sensitive pages such as check-out pages, should only allow what is completely necessary to the page’s core functionality. Pages that don’t collect personal information can have a much more relaxed, one-size-fits-most security policy.
Building a CSP
Now that you’ve determined your whitelist(s) of approved domains, you can begin building your
Content-Security-Policy Header(s) and/or
meta tag(s). If you’ve already specified what resources each domain is allowed to load, you can properly utilize CSP directives.
script-src directive here:
Content-Security-Policy: script-src google.com adroll.com
But for the domains that do not have a directive assigned for them, the
default-src directive is applied.
Content-Security-Policy: default-src yahoo.com; script-src google.com adroll.com
Below is a list of the most common CSP directives.
Make sure you put a space between each domain within each directive. If any of your domains has a subdomain, you will want to denote that like
Be careful to not make any typos and ensure every domain is accounted for.