Content Security Policy on GOV.UK
Content Security Policy (CSP) is a browser standard to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the context of another website. A policy, determining which stylesheets, scripts and other assets are allowed to run, is sent with every request and is parsed and enacted by the browser.
CSP can be run in two modes - report only, where violations of the policy are reported to a given endpoint but allowed to execute, and enforcement, where violations are blocked.
GOV.UK CSP History
As of 2022, GOV.UK has been working, on and off, towards adding a CSP to the public www.gov.uk website for a number of years. We have configured one that has been running on the frontend applications, in report only mode, since 2019. We track this incomplete implementation as tech debt.
We continue to aspire to have the CSP set to enforcement mode and intend to enhance it to forbid unsafe-inline
scripts and styles (in applicable applications) before launching it.
How the policy is set
GOV.UK has a base policy set in the govuk_app_config gem. This policy is shared amongst GOV.UK
applications and should contain directives that are either global or common to many applications.
Each frontend app has an initialiser which invokes the CSP setting code in the gem. Each application can make customisations to the policy for application/route specific needs (example in Smart Answers).
How violations are reported
In all production-like environments (production, staging, integration), CSP is running in report only mode. In other environments such as development and test, CSP is running in enforcement mode to allow errors to be captured at an early stage.
We log reports to Amazon S3 bucket which can be queried with Athena. We store them for 30 days. Many of the reports we receive are from browser extensions we can’t control so we filter the most prolific of them from our logs.
As we receive high volumes of false positive alerts, it is likely we will remove the reporting functionality once a CSP is enforced.
Querying violations
Athena is available through the AWS control panel. To access, log into AWS,
navigate to Athena and select
the csp_reports database. The database is available in all environments, however the production environment one is
that only one that will have good quality data.
You can use SQL as the means to query Athena. Whenever you query it you should always use partitions which will make the query substantially cheaper and faster.
Example Queries
Most recent reports
SELECT *
FROM csp_reports.reports
-- partitions
WHERE year = 2022 AND month = 12 AND date = 8
ORDER BY time DESC
LIMIT 10;
Most commonly blocked URI
SELECT blocked_uri, COUNT(*)
FROM csp_reports.reports
-- partitions
WHERE year = 2022 AND month = 12 AND date = 8
GROUP BY blocked_uri
ORDER BY COUNT(*) DESC;