How to find out if a Site has a Content Security Policy (CSP) deployed
How to Find Out If a Site Has a Content Security Policy (CSP) Deployed
A Content Security Policy is the best protection against one of the most malicious attacks on the Internet – supply chain attacks – and with increased awareness and adoption of CSP's by some of the largest sites online, you may be starting your own research into Content Security Policies.
Initial research into CSP’s leads to some common questions:
Do we have a CSP?
What does our CSP look like?
Does my competitor or partner in this space use a CSP, and what does it look like?
What do prominent industry leading sites do for security, do they employ a CSP, and what does theirs encompass?
Answering these questions relies on being able to find a CSP on a site. The good news is, CSP's are not hidden configurations. By their nature, they are fully public and visible on the site via a few easy steps. We’ll be walking you through some of these options.
Keep in mind that CSP’s can be deployed in two distinct places:
response headers and/or
Since a CSP can be deployed in both locations, you’ll want to look at both deployment options to find out whether a site is using a CSP. Let's get started.
Finding a CSP in a Response Header
OPTION #1: Use developer tools to find a CSP in a response header
Using a browser, open developer tools (we used Chrome’s DevTools) and then go to the website of choice. Open up the Network tab.
Look for the file that builds the page. It should have the same domain as the website you’re on (e.g., www.twitter.com), and will usually be the first item on the Network tab.
Once you click on the file, more information will come up. Look for a 200 OK response code.
Scroll down to the Response Header Section. If a CSP is being used, it will appear here.
See the CSP in the response header if it is present. It will be titled "content-security-policy."
Option #2 - Use a 3rd party browser extension to find a CSP in the response header
There is a browser extension available in Chrome called “CSP Evaluator” that will automatically pull any CSP from the response header for the page, but not a CSP in a meta tag.
Be cautious – extensions have potentially risky access to your web data.
You might want to restrict its data reach under “manage extension,” or disable it when not in use.
The tool can be found under the Chrome Extension Store: CSP Evaluator
This Chrome Extension works very well and can display the CSP and some insightful recommendations. Here is an example of it in action, tracking down the CSP on LinkedIn: LinkedIn - Blue Triangle
Finding a CSP in a Meta Tag
If you can’t locate a CSP in the page's response header using the methods above, don't give up! A Content Security Policy can also be deployed in a meta tag.
There are multiple reasons an organization may use a meta tag to insert their CSP. We’ll discuss the pros and cons of using a meta tag vs. response header for your CSP in a future Blue Triangle blog article.
OPTION #3: Use the page source to find a CSP in a meta tag
First, navigate to the page source.
Open a browser and go to the website of choice.
Right-click a blank area and select “View Page Source.”
Once the page source is shown, find out whether a CSP is present in a meta tag.
Conduct a find (Ctrl-F on Windows, Cmd-F on Mac) and search for the term “Content-Security-Policy”.
If “Content-Security-Policy” is found, the CSP will be the code that comes after that term.
Gus Anderson has been working with Blue Triangle since 2018 as the Vice president of Digital Experience Strategy. Gus has worked across all facets of the digital experience world since 1989 and specializes in ecommerce performance and security.