Other Important Directives

1 min read Web Security Fundamentals

Other Important Directives

upgrade-insecure-requests: HTTPS Migration Helper

This directive instructs browsers to upgrade all HTTP requests to HTTPS, facilitating migration to secure connections.

Content-Security-Policy: upgrade-insecure-requests;

Implementation strategy:

// Gradual HTTPS migration
function generateCSPForMigration(phase) {
    switch(phase) {
        case 'testing':
            // Report-only mode to identify HTTP resources
            return {
                header: 'Content-Security-Policy-Report-Only',
                value: 'upgrade-insecure-requests; report-uri /csp-reports'
            };
        case 'migration':
            // Enforce upgrades but monitor for issues
            return {
                header: 'Content-Security-Policy',
                value: 'upgrade-insecure-requests; report-uri /csp-reports'
            };
        case 'complete':
            // Full HTTPS with strict transport security
            return {
                header: 'Content-Security-Policy',
                value: "upgrade-insecure-requests; block-all-mixed-content"
            };
    }
}

sandbox: Iframe Restrictions

The sandbox directive applies restrictions to the page similar to those used in iframe sandboxing.

Content-Security-Policy: sandbox allow-scripts allow-forms allow-same-origin;

Common sandbox configurations:

const sandboxPolicies = {
    // Untrusted user content
    userContent: 'sandbox allow-scripts',
    
    // Third-party widgets
    widgets: 'sandbox allow-scripts allow-forms allow-popups',
    
    // Embedded documents
    documents: 'sandbox allow-same-origin allow-downloads',
    
    // Maximum restriction
    strict: 'sandbox'
};