Gusto Engineering
Published in

Gusto Engineering

Nonce-based Content Security Policy (CSP) in Rails

Introduction

What is a Content Security Policy?

script-src directive with some host-source directives allowing for CSP bypass
Network tab shows CSP enforcing “mode” blocking some fonts from loading

What is the point of a Content Security Policy?

Defense in depth — an attacker must break through each layer of defense from sanitization of user input to CSP in order to reach the crown jewels

Enforcing vs Report-Only

Example of CSP violation in DevTools console when CSP is in Report-Only “mode”
Network tab in Chrome DevTools shows that both Content-Security-Policy and Content-Security-Policy-Report-Only headers are sent

How Does Reporting Work?

Example report-uri directive
{ 
"csp-report": {
"blocked-uri": "inline",
"column-number": 1,
"document-uri": "http://gusto.com/path",
"line-number": 21,
"original-policy": "default-src 'self'; script-src 'unsafe-inline' 'strict-dynamic' 'nonce-[removed]'; report-uri https://subdomain.report-uri.com/r/d/csp/ReportOnly",
"violated-directive": "script-src"
}
}

Traditional CSP vs Nonce-based CSP

Example of a directive in traditional CSP
Example of nonce-based CSP behavior with script-src directive

Appendix

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store