We use Content Security Policy (CSP) headers across our platform, including status pages. This update aims to enhance the security of our services while maintaining compatibility with external resources.
What is Content Security Policy (CSP)?
Content Security Policy (CSP) is a security feature implemented by web browsers to mitigate the risks associated with cross-site scripting (XSS) attacks. CSP allows website administrators to define policies that control the types of content that can be loaded and executed on their pages.
How has Sorry™ implemented CSP?
As part of our commitment to security, we have adopted a tightly locked-down default CSP policy. This default policy ensures that only trusted content from specified sources can be executed, reducing the risk of XSS attacks and unauthorized code execution.
To summarize the changes:
A new "script-src" directive is included
Utilising "object-src: none", as recommended by Mozilla / OWASP.
No action is required; this is enabled across our product by default.