Security Tag Governance

How to find out if a Site has a Content Security Policy (CSP) deployed

By Gus Anderson on April 27, 2020
Gus Anderson

Gus Anderson has been working with Blue Triangle since 2018 as the Vice president of Digital Experience Strategy. Gus has worked across all facets of the digital experience world since 1989 and specializes in ecommerce performance and security.

How to Find Out If a Site Has a Content Security Policy (CSP) Deployed

A Content Security Policy is the best protection against one of the most malicious attacks on the Internet – supply chain attacks – and with increased awareness and adoption of CSP's by some of the largest sites online, you may be starting your own research into Content Security Policies.

Initial research into CSP’s leads to some common questions:

  • Do we have a CSP?
  • What does our CSP look like?
  • Does my competitor or partner in this space use a CSP, and what does it look like?
  • What do prominent industry leading sites do for security, do they employ a CSP, and what does theirs encompass?

Answering these questions relies on being able to find a CSP on a site. The good news is, CSP's are not hidden configurations. By their nature, they are fully public and visible on the site via a few easy steps. We’ll be walking you through some of these options.

Keep in mind that CSP’s can be deployed in two distinct places:

  • response headers and/or 
  • meta tags.

Since a CSP can be deployed in both locations, you’ll want to look at both deployment options to find out whether a site is using a CSP. Let's get started.

Finding a CSP in a Response Header

OPTION #1: Use developer tools to find a CSP in a response header

  1. Using a browser, open developer tools (we used Chrome’s DevTools) and then go to the website of choice. Open up the Network tab.
  2. Look for the file that builds the page. It should have the same domain as the website you’re on (e.g., www.twitter.com), and will usually be the first item on the Network tab.
  3. Once you click on the file, more information will come up. Look for a 200 OK response code.
  4. Scroll down to the Response Header Section. If a CSP is being used, it will appear here.

Example (steps correspond to above list): Twitter - BlueTriangle

Image #1 CSP Header

 

See the CSP in the response header if it is present. It will be titled "content-security-policy."

Image #2 CSP Header
Option #2 - Use a 3rd party browser extension to find a CSP in the response header

There is a browser extension available in Chrome called “CSP Evaluator” that will automatically pull any CSP from the response header for the page, but not a CSP in a meta tag.

  • Be cautious – extensions have potentially risky access to your web data.
  • You might want to restrict its data reach under “manage extension,” or disable it when not in use.

The tool can be found under the Chrome Extension Store: CSP Evaluator 

  1. Image #3 CSP Evaluator - Chroms Extension

 

This Chrome Extension works very well and can display the CSP and some insightful recommendations. Here is an example of it in action, tracking down the CSP on LinkedIn: LinkedIn - Blue Triangle

Image #4 Linked in - Blue Triangle

Finding a CSP in a Meta Tag

If you can’t locate a CSP in the page's response header using the methods above, don't give up! A Content Security Policy can also be deployed in a meta tag.

There are multiple reasons an organization may use a meta tag to insert their CSP. We’ll discuss the pros and cons of using a meta tag vs. response header for your CSP in a future Blue Triangle blog article.

OPTION #3: Use the page source to find a CSP in a meta tag

First, navigate to the page source.

  1. Open a browser and go to the website of choice.
  2. Right-click a blank area and select “View Page Source.”

Meta Tag CSP Staples 1

Once the page source is shown, find out whether a CSP is present in a meta tag.
  1. Conduct a find (Ctrl-F on Windows, Cmd-F on Mac) and search for the term “Content-Security-Policy”.
  2. If “Content-Security-Policy” is found, the CSP will be the code that comes after that term.

Meta Tag CSP Staples 2

Site used: Staples

More about CSP’s

While there are other methods for finding a CSP on a site, these are some of the fastest and easiest ways to check and help with answering the questions in your initial research into CSP’s.

If you would like more information on how to build, deploy, and maintain a properly constructed CSP to prevent supply chain attacks, please reach out to us.

Here is an excellent research site for dealing with the entire specification of the CSP: World Wide Web Consortium - CSP Spec

Here are some Webinars if you'd like to expand the journey into CSP research:

All the Best,

– Gus

Stay up to date