Content Security Policy (CSP)
Content Security Policy (CSP) for Forevermore Moments
Forevermore Moments is committed to ensuring the security and integrity of its website and the data of its users. This Content Security Policy (CSP) serves as a guideline to mitigate security risks such as cross-site scripting (XSS), clickjacking, and other code injection attacks. By implementing the CSP, we aim to safeguard our digital content and maintain a secure environment for all our visitors.
Policy Directive
The following policy directives outline the allowed sources of content and the handling of various types of content on the Forevermore Moments website.
1. Default Source
plaintext
default-src 'self';
The default policy only allows content to be loaded from the same origin as the page itself.
2. Script Source
plaintext
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com;
Scripts can be loaded from the same origin, Google APIs, and Cloudflare CDN. Inline scripts and eval() are allowed, but should be minimized and carefully managed due to their potential security risks.
3. Style Source
plaintext
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
Styles can be loaded from the same origin and Google Fonts. Inline styles are allowed, but the usage should be limited and sanitized to prevent XSS attacks.
4. Font Source
plaintext
font-src 'self' https://fonts.gstatic.com;
Fonts can be loaded from the same origin and Google Fonts.
5. Image Source
plaintext
img-src 'self' data: https://www.forevermoremoments.com;
Images can be loaded from the same origin, data URIs, and the specified domain.
6. Frame Ancestors
plaintext
frame-ancestors 'self';
The website can only be framed by the same origin, preventing clickjacking attacks by other domains.
7. Connect Source
plaintext
connect-src 'self' https://api.forevermoremoments.com;
Connections (such as AJAX requests, WebSockets) can be made to the same origin and the specified API endpoint.
8. Object Source
plaintext
object-src 'none';
Embedding of plugins or any objects is disallowed to mitigate the risk of malicious code execution.
9. Media Source
plaintext
media-src 'self';
Media files (audio, video) can only be loaded from the same origin.
10. Child Source
plaintext
child-src 'self';
Frames and iframes can only be loaded from the same origin.
11. Form Action
plaintext
form-action 'self';
Forms can only be submitted to the same origin.
12. Worker Source
plaintext
worker-src 'self';
Web Workers can be loaded from the same origin.
13. Manifest Source
plaintext
manifest-src 'self';
Web app manifests can only be loaded from the same origin.
Policy Enforcement
The CSP header should be included in the HTTP response from the server. Here is an example of how to set the CSP header in different server configurations:
Apache
apache
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.forevermoremoments.com; frame-ancestors 'self'; connect-src 'self' https://api.forevermoremoments.com; object-src 'none'; media-src 'self'; child-src 'self'; form-action 'self'; worker-src 'self'; manifest-src 'self';"
</IfModule>
Nginx
nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.forevermoremoments.com; frame-ancestors 'self'; connect-src 'self' https://api.forevermoremoments.com; object-src 'none'; media-src 'self'; child-src 'self'; form-action 'self'; worker-src 'self'; manifest-src 'self';";
ASP.NET
csharp
HttpContext.Current.Response.AddHeader("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://apis.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.forevermoremoments.com; frame-ancestors 'self'; connect-src 'self' https://api.forevermoremoments.com; object-src 'none'; media-src 'self'; child-src 'self'; form-action 'self'; worker-src 'self'; manifest-src 'self';");
Review and Update
This policy should be reviewed regularly and updated as necessary to address new security threats and to incorporate new content sources or functionalities of the Forevermore Moments website. Any changes to this policy must be documented and approved by the website’s security team.
Contact
For questions or concerns about this policy, please contact the Forevermore Moments security team at info@forevermoremoments.co.za.
By adhering to this CSP, Forevermore Moments aims to create a secure online environment, ensuring the protection of our users’ data and maintaining the integrity of our digital content.