3 reasons your website needs a content security policy

3 reasons your website needs a content security policy

Arguably, the most important element in business is trust.

It’s impossible to retain customers, bring in new qualified leads and leave a lasting impression on the market if you’re seen as untrustworthy. Nothing diminishes trust quicker than having to inform your users that their personal data has been compromised.

Your customers trust that their data is secure in your hands. Given Google’s emphasis on on-site security over the last few years, customers are expecting that your site is encrypted via https AND what they are seeing on the webpage is what you intended.

Why is that last part important?

Injection attacks are one of the most common forms of site attacks against public websites. This is where an attacker injects content onto the website claiming it to be native to the site. Once the site loads the content, that attackers plan is in motion and likely to cause some damage.

Most customers are savvy enough to spot when something isn’t right on your website, especially if they’re a recent visitor. Yet, taking the “it won’t happen to me” approach simply won’t cut it anymore.

While smaller websites are less likely to be a target, they are often the ones that struggle to repel attacks and having months of downtime can be detrimental to their revenue.

What Is a Content Security Policy (CSP)?

A CSP acts as an additional checkpoint for web browsers.

Web browsers don’t discriminate against information sent its way. It won’t be able to tell the difference between content you intend to show and piggybacking content placed by someone else. If there is content there that shouldn’t be, the browser will assume it should and execute it regardless.

This provides a big opening for attackers to manipulate the browser as they see fit.

A CSP is a mechanism that informs the browser of the exact content that is allowed. This allows you and your developers to define a clear set of rules for the browser. If a script is received that isn’t in these rules, it’s eliminated with no downtime to the site.

Content security policies commonly help mitigate against cross-site scripting  and data injection attacks, which we’ll talk about more below.

What Does a CSP Help Prevent?

Stop Attackers From Gaining Access to Your Site

An attackers dream is to be able to load up your webpage and show whatever they want to your users. They don’t have to worry about marketing tactics, building a client base or even providing anything of value. They only need to know how to do it and they can reap the benefits.

Unless you have a CSP blocking their path.

A common method of achieving the above is to send malicious links at mass to databases of email addresses. When a user clicks this link, they are taken to the legitimate website they expected. However, accessing the site via this link may provide the attacker with certain luxuries such as click tracking and executing arbitrary javascript through the victim’s browser.

Impersonation & Access to Private Information

Cross-site scripting and SQL injections can be exceptionally scary as a customer because you may not be aware it’s even happening.

Cookies can become a prime target for attackers. These are often used as session tokens. They can store personal information related to your visits to a particular website. Obtaining a user’s session cookie means that they could effectively perform actions acting as that user, impersonating them and gaining access to sensitive data held on that site.

A method that catches many people off guard is injecting a bogus contact form or general submission forms. The victim will think they are signing up to receive something when instead, their details are going directly to an attacker.

Finally, something a lot more serious and frightening as a user is for the attacker to gain access to software and files on your computer. HTML5 Api’s, which are more frequent in modern browsers, can be manipulated in various methods to gain potential access to a users microphone, webcam, location and files on their system.

This attack will almost always require a user opt-in, however, there is the potential for attackers to brute force their way around this limitation through other means.

Scary, right?

A CSP provides an extra layer of protection that can bar an attacker from succeeding at the above.

Defend Against Packet Sniffing Attacks

A packet sniffing attack is when an attacker sets out to gain usernames and their active passwords, steal bank information, spy on messages and emails or engage in identity theft.

Developers can leverage a CSP to specify which protocols they allow a domain to be used. For example, they can force all content to be loaded using HTTPS (which is recommended). They can also add encryption to cookies.

This aids in preventing attackers from quick shortcuts to the most common account takeover ( ATO) attacks.

Get Protected With a CSP

Implementing a CSP is invaluable in protecting your company website and your visitor’s personal information.

If you had your website coded from scratch, it’s usually a simple process for the developers to implement a CSP right after it’s been built. More so, they should know the ins and outs of their code, enough to implement it fairly quickly, even if your site has been live for a while.

Here’s the unfortunate catch…

Implementing a CSP into WordPress or other content management systems (CMS) can be rather difficult. WordPress, for example, is inherently insecure to the types of attacks that a CSP can protect you from.

To make matters worse, a CSP does not play nice with other plugins installed onto WordPress websites. If your site is built on WordPress or another system, we recommend contacting an expert to ensure a CSP is implemented correctly.

At Green Knight Digital, this is exactly what we do. Contact us on the button below to jump on a free consultation call where we can see exactly what it’s going to take to get you protected from attackers.

Leave a Reply