Content Security Policy (CSP)
Learn how we use Content Security Policy (CSP) headers across our platform.
We use Content Security Policy (CSP) headers across our platform, including status pages. This update aims to enhance the security of our services while maintaining compatibility with external resources.
What is Content Security Policy (CSP)?
Content Security Policy (CSP) is a security feature implemented by web browsers to mitigate the risks associated with cross-site scripting (XSS) attacks. CSP allows website administrators to define policies that control the types of content that can be loaded and executed on their pages.
How has Sorry™ implemented CSP?
As part of our commitment to security, we have adopted a tightly locked-down default CSP policy. This default policy ensures that only trusted content from specified sources can be executed, reducing the risk of XSS attacks and unauthorized code execution.
Inclusion of CSS and JavaScript from Remote Domains
While our new CSP policy is restrictive by default, we understand the importance of external resources such as CSS and JavaScript in providing an enhanced user experience. To accommodate this, we have modified the policy to include CSS and JavaScript from any remote domain as long as they are served over HTTPS.
To summarize the changes:
- A new "script-src" directive is included
- Utilising "object-src: none", as recommended by Mozilla / OWASP.
- No action is required; this is enabled across our product by default.