반응형
CSP (Content Security Policy)
CSP 설정은 교차 사이트 스크립팅(XSS) 공격과 데이터 삽입 공격을 막기 위한 브라우저 보안이다.
CSP를 사용하는 방법은
웹 서버의 응답 헤더에 Content-Security-Policy 헤더를 추가하도록 설정
HTML에 <meta> 태그를 사용하여 추가할 수 있습니다.
Content Type | 설명 |
default-src | Serves as a fallback for the other fetch directives |
connect-src | Restricts the URLs which can be loaded using script interfaces |
font-src | Specifies valid sources for fonts loaded using @font-face |
img-src | Specifies valid sources of images and favicons |
frame-src | Specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe> |
script-src | Specifies valid sources for JavaScript |
예) 아래 코드 참조
################HTTP Strict-Transport-Security###############
strict Action ="AddResponse",
FieldName = "Strict-Transport-Security",
FieldValue = "max-age=15768000"
################HTTP Content-Security-Policy################
security Action ="AddResponse",
FieldName ="Content-Security-Policy",
FieldValue =
"default-src 'self'
connect-src 'self'
frame-src 'self'
script-src 'self'
img-src 'self'
################HTTP X-XSS-Protection####################
X-XSS Action ="AddResponse",
FieldName ="X-XSS-Protection",
FieldValue= "1; mode=block"
################HTTP X-Content-Type-Options###############
X-Content Action ="AddResponse",
FieldName = " X-Content-Type-Options",
FieldValue = "nosniff"
################HTTP X-Download-Options##################
X-Download Action ="AddResponse",
FieldName = "X-Download-Options",
FieldValue ="noopen"
Refused to load because it appears in neither the connect-src directive nor the default-src directive
of the Content Security Policy
이런 식으로 설정할 수 있다.
반응형
댓글