Content-Security Policy (CSP)

RunCloud allows you to manage your servers and web applications with ease, but it also provides several security features to protect your online assets from potential threats.

What is a Content Security Policy (CSP)?

A Content Security Policy (CSP) is a widely used security standard for websites, allowing users to fine-tune the resources they can load to prevent injection-based attacks. It outlines the allowed sources for resources such as JS, CSS, and fonts, ensuring that harmful scripts are not loaded from external sources.

For example, if your website uses Google Fonts, you can specify that only fonts from fonts.googleapis.com are allowed to load on your website. This way, if an attacker tries to inject a malicious font from another source, the browser will block it and prevent the attack.

A CSP is implemented by sending a special HTTP header called Content-Security-Policy from the server to the browser. The header contains a set of directives that define the policy for each resource type. For example, the following header allows only fonts from fonts.googleapis.com and self (the same origin as the website):

Content-Security-Policy: font-src fonts.googleapis.com self;

You can also use wildcards (*) to allow any source, or ‘none’ to block all sources. For example, the following header blocks all inline scripts and styles:

Content-Security-Policy: script-src 'none'; style-src 'none';

You can learn more about the syntax and directives of CSP from these resources:

• CSP Reference & Examples
• Content-Security-Policy – HTTP | MDN

Why RunCloud Does Not Enable CSP by Default

RunCloud provides a security header option for every web application on the platform. These prevent cross-site scripting (XSS) and clickjacking in order to keep your website secure.

For clickjacking protection, we use the catch-all X-Frame-Options header. This header is an all-or-nothing header that tells the browser whether or not to allow your website to be displayed in an iframe. For example, the following header prevents any website from embedding your website in an iframe:

X-Frame-Options: DENY

This header is considered a legacy header and has been superseded by the Content Security Policy Header (CSP). The Content Security Policy header provides for fine granular control over the security policy – not just for iframes, but all content types.

X-Frame-Options is a catch-all to protect on-site builds from iframe clickjacking. Having it turned on by default isn’t likely to break any sites.

We would love to enable the CSP header automatically for all our web applications, but that would not be very helpful for you. Because we serve a variety of sites, each site will have their own CSP settings that will change from time to time as the website changes and new plugins or themes are installed.

A CSP header will affect not only fonts and analytics, but also map and video embeds, code embeds, and many other resources on your site. We can’t possibly come up with a CSP header that suits everyone’s individual needs while still providing necessary security.

This means that a default CSP header would have to be very permissive to avoid breaking your site, which would defeat the purpose of having a CSP header in the first place. It would also create a false impression that your site is secure, which is not what we want as a company that values your security.

That’s why we want you to use this header, but only if you customize it for each of your sites based on what they need. This way, you can have a more effective and tailored security policy for your site.

However, this also means that you will have to troubleshoot your site on your own if something goes wrong with the CSP header. We recommend using tools such as CSP Evaluator and Csper Policy Evaluator to inspect your CSP configuration.