Skip to Main Content

Meet with YOTTAA at Shoptalk 2023

Picture of a lock with a blue background
Performance

Layers of Defense: Utilizing Content Security Policies for Defense-in-Depth

Post date 10/20/2021
Author Suhasini Aravinthan

A common term in the cybersecurity world is “Zero Trust.” This means exactly what it says – trusting nothing until verified. The methods companies use to execute a Zero Trust cybersecurity strategy vary, and often combine many different approaches. As we at YOTTAA say, layering defense capabilities is the best approach to creating and maintaining security. 

What are Content Security Policies (CSPs)? 

Content Security Policies (CSPs), are rulesets that allow or block certain actions on a website. They work as a guard on web content, where any web application that implements them can direct what data sources are allowed access. 

CSPs can directly mitigate a common attack called Cross-site Scripting (XSS), where bad actors inject malicious code into a site. Bad actors will exploit web applications to send this browser-side code to the end-user, which can result in breaches of sensitive data.  

What are the pros and cons of using CSPs? 

Let’s start with the cons 

  • If your website has already come under attack, CSPs alone will not resolve this problem. You must take action to patch up the vulnerability AND implement CSPs to mitigate future attacks. 
  • Without the intelligence of a visibility and management platform, implementing CSPs can feel a bit like playing Pin the Tail on the Donkey. They are hard to manage manually without any system in place and can be arduous to implement. 
  • CSPs can be over restrictive, meaning if you block everything, you may lose functionality. This, however, can be resolved by utilizing them appropriately and using data to determine what to block and what to allow.

Now the pros 

  • CSPs for inline JavaScript can mitigate XSS effectively. These policies are so strict that it ensures the site is well protected from hackers.  
  • CSPs are easily configurable when used with a system that provides easy management and analytics. More importantly, they take a Zero Trust approach to cybersecurity. This is essential since attacks are becoming increasingly sophisticated. 
  • CSPs are a great way for online retailers to maintain governance over ALL assets loading on their site. This is vital to protect customer data. 

Why should every online retailer use them? 

50-75% of an eCommerce site consists of 3rd, 4th, and 5th party assets that retailers have zero control over. CSPs give retailers oversite and granular control over every single digital asset running on their eCommerce site. Combining deep and dynamic visibility into every line of code, and the ability to allow and block every Nth party service, can provide retailers the ability to control every interaction on their site, and protect their customers, their reputation, and their bottom line.   

 

Curious about how to easily implement and manage Content Security Policies? YOTTAA’s SERVICE CTRL gives on-line retailers the swift ability to create and implement CSPs across their eCommerce site.