[英]Shall I use the Content-Security-Policy HTTP header for a backend API?
We're implementing HSTS on our backend API and I stumbled upon the Content Security Policy (CSP) header.我们正在后端 API 上实施 HSTS,我偶然发现了内容安全策略 (CSP) 标头。 This header tells the browser where from resources such as images, video, stylesheet, scripts and so on can be downloaded.
此标头告诉浏览器可以从何处下载图像、视频、样式表、脚本等资源。
Since a backend API won't really display things in a browser, what's the value of having this header set?由于后端 API 不会真正在浏览器中显示内容,设置此标头的价值是什么?
CSP is a technique designed to impair xss -attacks. CSP是一种旨在削弱xss攻击的技术。 That is, it is most useful in combination with serving hypermedia that relies on other resources being loaded with it.
也就是说,它与依赖加载的其他资源的超媒体服务相结合是最有用的。 That is not exactly a scenario I would expect with an API.
这不是我期望的 API 场景。 That is not to say you cannot use it.
这并不是说你不能使用它。 If there really is no interactive content in your responses, nothing could hold you from serving this header:
如果您的回复中确实没有交互式内容,则没有什么可以阻止您提供此标题:
Content-Security-Policy: default-src 'none';
Going one step further, you could use CSP as some sort of makeshift Intrusion Detection System by setting report-uri
in order to fetch incoming violation reports .更进一步,您可以通过设置
report-uri
以获取传入的违规报告,将CSP 用作某种临时入侵检测系统。 That is well within the intended use but still a bit on the cheap.这完全符合预期用途,但仍然有点便宜。
In conclusion, it can theoretically improve the security of your API through little effort.总而言之,它理论上可以通过很少的努力提高您的 API 的安全性。 Practically, the advantages may be slim to none.
实际上,优势可能微乎其微。 If you feel like it, there should be no harm in sending that header.
如果您愿意,发送该标头应该没有害处。 You may gain more by eg suppressing MIME-type sniffing , though.
不过,您可以通过例如抑制 MIME 类型的嗅探来获得更多收益。
See also: The OWASP Secure Headers Project另请参阅: OWASP 安全标头项目
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.