Secure your assets before they become liabilities. #CSP #AppSec #CyberSecurity "What runs on your website right now?"
echo -n "alert('safe')" | openssl dgst -sha256 -binary | base64 Output: 'sha256-abc123...' csp assets
| Asset Type | Description | Management Strategy | | :--- | :--- | :--- | | | JavaScript files (first-party & third-party). | Use 'nonce-random' for dynamic scripts; 'sha256-hash' for static inline scripts. | | Style Assets | CSS files and inline styles. | Apply 'unsafe-inline' only if necessary; prefer nonces or hashes. | | Font Assets | Web fonts (e.g., .woff2). | Define font-src directive (e.g., font-src 'self' https://fonts.gstatic.com ). | | Image Assets | Images loaded via or CSS. | Use img-src 'self' data: https: for remote images. | | Connect Assets | APIs, WebSockets, EventSource. | Define connect-src (e.g., connect-src 'self' https://api.example.com ). | Secure your assets before they become liabilities