Overview
As described on MDN: Content Security Policy (CSP) is a feature that helps to prevent or minimize the risk of certain types of security threats. It consists of a series of instructions from a website to a browser, which instruct the browser to place restrictions on the things that the code comprising the site is allowed to do. The primary use case for CSP is to control which resources, in particular JavaScript resources, a document is allowed to load. This is mainly used as a defense against cross-site scripting (XSS) attacks, in which an attacker is able to inject malicious code into the victim’s site.How CSP Prevents MITM Attacks
CSP provides a critical layer of protection against man-in-the-middle (MITM) attacks by:- Restricting script sources - Only scripts from whitelisted domains can execute
- Blocking data exfiltration -
connect-srclimits where data can be sent - Preventing code injection - Even if an attacker injects malicious code, CSP blocks it from communicating with unauthorized servers
How to Enable CSP
Below is an example of a relatively restrictive CSP that limits only scripts and API calls to all Formo domains.<head> tag of your site to enable CSP.
Domains used by Formo
| Domain | Usage |
|---|---|
events.formo.so | Ingestion endpoint for SDK API calls |
cdn.formo.so | CDN for SDK assets |
Combined Protection with SRI
For maximum security, combine CSP with SRI:- Scripts can only load from your domain and Formo’s CDN
- API calls can only be made to your domain and Formo’s ingestion endpoint
- The SDK integrity is cryptographically verified before execution
- All traffic is encrypted with TLS 1.2+