Content Security Policy (CSP)

 

Content Security Policy (CSP) for Forevermore Moments

Forevermore Moments is committed to ensuring the security and integrity of its website and the data of its users. This Content Security Policy (CSP) serves as a guideline to mitigate security risks such as cross-site scripting (XSS), clickjacking, and other code injection attacks. By implementing the CSP, we aim to safeguard our digital content and maintain a secure environment for all our visitors.

Policy Directive

The following policy directives outline the allowed sources of content and the handling of various types of content on the Forevermore Moments website.

1. Default Source

plaintext

default-src 'self';

The default policy only allows content to be loaded from the same origin as the page itself.

2. Script Source

plaintext

script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com;

Scripts can be loaded from the same origin, Google APIs, and Cloudflare CDN. Inline scripts and eval() are allowed, but should be minimized and carefully managed due to their potential security risks.

3. Style Source

plaintext

style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;

Styles can be loaded from the same origin and Google Fonts. Inline styles are allowed, but the usage should be limited and sanitized to prevent XSS attacks.

4. Font Source

plaintext

font-src 'self' https://fonts.gstatic.com;

Fonts can be loaded from the same origin and Google Fonts.

5. Image Source

plaintext

img-src 'self' data: https://www.forevermoremoments.com;

Images can be loaded from the same origin, data URIs, and the specified domain.

6. Frame Ancestors

plaintext

frame-ancestors 'self';

The website can only be framed by the same origin, preventing clickjacking attacks by other domains.

7. Connect Source

plaintext

connect-src 'self' https://api.forevermoremoments.com;

Connections (such as AJAX requests, WebSockets) can be made to the same origin and the specified API endpoint.

8. Object Source

plaintext

object-src 'none';

Embedding of plugins or any objects is disallowed to mitigate the risk of malicious code execution.

9. Media Source

plaintext

media-src 'self';

Media files (audio, video) can only be loaded from the same origin.

10. Child Source

plaintext

child-src 'self';

Frames and iframes can only be loaded from the same origin.

11. Form Action

plaintext

form-action 'self';

Forms can only be submitted to the same origin.

12. Worker Source

plaintext

worker-src 'self';

Web Workers can be loaded from the same origin.

13. Manifest Source

plaintext

manifest-src 'self';

Web app manifests can only be loaded from the same origin.

Policy Enforcement

The CSP header should be included in the HTTP response from the server. Here is an example of how to set the CSP header in different server configurations:

Apache

apache

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.forevermoremoments.com; frame-ancestors 'self'; connect-src 'self' https://api.forevermoremoments.com; object-src 'none'; media-src 'self'; child-src 'self'; form-action 'self'; worker-src 'self'; manifest-src 'self';"
</IfModule>

Nginx

nginx

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.forevermoremoments.com; frame-ancestors 'self'; connect-src 'self' https://api.forevermoremoments.com; object-src 'none'; media-src 'self'; child-src 'self'; form-action 'self'; worker-src 'self'; manifest-src 'self';";

ASP.NET

csharp

HttpContext.Current.Response.AddHeader("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.forevermoremoments.com; frame-ancestors 'self'; connect-src 'self' https://api.forevermoremoments.com; object-src 'none'; media-src 'self'; child-src 'self'; form-action 'self'; worker-src 'self'; manifest-src 'self';");

Review and Update

This policy should be reviewed regularly and updated as necessary to address new security threats and to incorporate new content sources or functionalities of the Forevermore Moments website. Any changes to this policy must be documented and approved by the website’s security team.

Contact

For questions or concerns about this policy, please contact the Forevermore Moments security team at info@forevermoremoments.co.za.


By adhering to this CSP, Forevermore Moments aims to create a secure online environment, ensuring the protection of our users’ data and maintaining the integrity of our digital content.