Home » Resources » Blog » How to Generate a Content Security Policy like the Pros

How to Generate a Content Security Policy like the Pros

RapidSec » Resources » Videos » How to Generate a Content Security Policy like the Pros

Generating a Content Security Policy for a website or web application should not be hard.

We've made it easy and effective to create a strict CSP, with techniques like SHA hashes that are used by the top technology companies in the world, using the RapidSec CSP Generator.

Video Walkthrough of the RapidSec CSP Generator:

How To: Generate a SHA based Strict Content Security Policy, like the pros!

Time needed: 12 minutes.

How To Generate a SHA based Strict Content Security Policy, like the pros!

  1. Understand the CSP Challenge

    00:00 Understand the balance of Building CSP correctly without breaking things

  2. Learn the concept of a SHA based Content Security Policy

    00:32 See a live SHA CSP implementation

  3. Notice regression risks

    01:13 Broken marketing scripts with existing CSP setup - you will see Refused to load the script because it violates the following Content Security Policy directive.

  4. Setup a RapidSec Account

    01:34 You can sign in with Google, User-pass, or SSO if your ORG is already live.

  5. Create a RapidSec Project

    01:52 Name your project after the site - it's the most scalable approach.

  6. Connect your Project to Reporting Policy

    02:39 Set the generated content security policy in Report-Only mode

  7. Run the Initial CSP to create violations

    02:59 Seed your project with initial data

  8. Add CSP packages to simplify your workflow

    03:40 Approve your first CSP packages and build the first CSP version

  9. Configure custom Content Security Policy directives

    04:41 After setting the package CSP, allow custom directive rules

  10. Eliminating 'unsafe-inline' with SHA hashes

    05:12 This is an important technique when setting the CSP script-src. It's especially useful for sites with a limited amount of inline scripts (up to 20 or so).

  11. Set the style-src and content directives

    06:24 These are less important - so you can create more permissive rules.

  12. Deploying the full Report-Only CSP, and moving to Enforce Mode!

    07:50 This is where the magic happens - RapidSec runs a combination of enforced and Reporting to get the best of security posture, monitoring, and not breaking your site.

  13. Conclusion and Wrap up!

    11:02 See? Building a Content-Security-Policy for your site can be easy!

How to get started with CSP

Getting started with Content-Security-Policy has never been easier! Just use the RapidSec CSP generator, that will combine multiple techniques to avoid bypasses AND run proper monitoring in case an attack does slip through.

Looking for an enterprise-grade CSP solution? Book a RapidSec demo today.

If you think I can improve this video, please let me know @Shai_Alon.

We’re excited to update that RapidSec has joined Orca Security! read all about it:
This is default text for notification bar