Content security policy
"Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware." —Mozilla
This document is an overview of how VA.gov implements, uses, and manages a content security policy. This document assumes you have an understanding of CSP, CSP directives and a high level understanding of VA.gov's infrastructure (specifically where the reverse proxy sits in the content delivery flow).
Generation of CSP
There are two components of the CSP generated by Va.gov's reverse proxy.
CSP HTTP headers:
Content-Security-Policy(currently not active)
nonceheader value and HTML attribute: A unique value (nonce) is generated for each page visit. The nonce is added to the CSP header and to each occurance of the nonce attribute in the HTML document. The nonce is added to the HTML document with a simple string replacement of
VA.gov uses Sentry as its CSP logger. Sentry CSP logs for each environment:
Reports are throttled by the reverse proxy by setting the
report-url in the CSP header for only on a percentage of visits.
Configuration and maintenance
The following applies when editing the CSP:
Updates to the CSP must be approved by the Release Tools team
Updates to the CSP must be tested on staging before releasing into production
The only way to test the CSP is to add it to an environment and monitor the logger for violations
Updates to the CSP must be in pull requests without other changes to enable easy rollback
The updater is responsible for monitoring the CSP logger after changes are pushed into production
The CSP should be backwards compatible to version 1.0 to ensure maximum coverage. Use the CSP quick reference guide for this task.
Validate the CSP header using the CSP Evaluator. Current process for this is to deploy changes to staging and capture the header from a browser request / response.
Exempted third party scripts
This is an overview of the third party managed scripts allowed to run on VA.gov.
Web analytics platform.
Facility locator uses leaflet to annotate its map. This dependency leverages the Google maps js framework.
An a/b testing + personalization tool.
used to deliver messages to veterans.
A location / address tool used in the Facility Locator.
Approval for new third party scripts
Quarterly review process
Locking down your website scripts with csp hashes, nonces, and report-uri
Help and feedback
Create an issue ticket to suggest changes to this page