Content Security Policy builder
“Define which web pages are allowed to load website content”
What is Qbine’s Content Security Policy Builder?
What is the Qbine Content Security Policy Builder and what is a content security policy by itself? A CSP (short for Content Security Policy) is an HTTP response header that allows restricting how resources are loaded into browsers. Every website should use a CSP as it protects your website against certain attacks like cross-site scripting, data injection, and clickjacking.
To create a CSP it is important to know what it is, how to create it, and where to create it. With the CSP Builder, Qbine creates a CSP by default. The moment a website is added into Qbine, it creates a blocking CSP and a reporting CSP. From there on, it’s possible to change the previously generated CSP or create a new one.
A CSP can block or report
There are two types of CSPs. They can either block or report. By default, Qbine generates a low secured blocking CSP. This type of CSP protects from the most common attacks. When a highly secured CSP is generated for a website, chances are that some files will be blocked. When Qbine blocks files, the website will not work properly. Hence why a highly secured reporting CSP is also generated: this way it’s easy to find out what’s wrong and it can be changed inside your blocking CSP.
Simple and advanced CSP mode
It is hard to create a proper working CSP. That’s why Qbine can do it for you. Qbine has a simple mode where different levels of security can be chosen. When very basic security is required, it is recommended to choose low security and high blocking. Inside the simple mode, own resources can easily be added. With the advanced CSP mode, more knowledge of a CSP is required as you can create custom CSPs.
Extra features from the CSP builder
Multiple features can be found inside the user interface of the CSP builder. Qbine makes it possible to disallow mixed content, so insecure content will never be shown. Another Qbine feature is the Upgrade Insecure Requests. If insecure files (HTTP) are still used and cannot be changed, this function upgrades the file from HTTP to HTTPS.
Next to the features and the CSP builder itself, CSP graphs are available too. Qbine shows it when there is a block or report and how many requests were blocked/reported.
Example 1
When opening the simple mode, the first thing that shows is the Content-Security-Policy: default-src ‘self’. This means that all content comes from the origin server. All content outside the origin server is blocked. Right after the default-src, trusted sources can easily be added to your CSP by clicking the green ‘plus’ sign. Qbine creates the CSP by adding the source after the default-src: “self”. This way external content can be added, for example, Google Analytics.
Exmple 2
Every site has different pages. For every page, a custom CSP can be created. For example, an admin panel may possibly need different files other than a homepage. Inside the CSP builder, the URL for the admin panel “ /admin/* ” is added. The asterisk is used for every URL that begins with /admin/, for example “ /admin/users “. With this functionality, specific CSPs are created for every URL that needs protection differently.
Example 3
When creating a CSP in the advanced settings, it is easily specified which sandbox type you will allow. This is a functionality that cannot be created in thetag inside the code. If a Content Security Policy is already created inside thetag, this allows for the sandbox functionality to the previously used CSP.
Protect your website
Our Content Security Policy is included in all Qbine packages. A great feature for everyone to use. Do you also want to protect your website with a flexible and simple to use CSP builder? Do you have a CSP, but you cannot optimize it yourself in the website code or your server? Start your free trial and experience the best protection and optimization first hand now.