Progressive CSP Implementation Strategy
Progressive CSP Implementation Strategy
Implementing CSP effectively requires a phased approach:
Phase 1: Discovery with Report-Only Mode
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-reports
Phase 2: Permissive Policy with Monitoring
Content-Security-Policy: default-src 'self' https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; report-uri /csp-reports
Phase 3: Tightening Restrictions
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}' https://specific-cdn.com; style-src 'self' 'unsafe-inline'
Phase 4: Strict Production Policy
Content-Security-Policy: default-src 'none'; script-src 'self' 'nonce-{random}' 'strict-dynamic'; style-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'