Content-Security-Policy (CSP)¶

Content-Security-Policy (CSP) is a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from the execution of malicious content in the trusted web page context. It allows web developers to control the resources that a user agent is allowed to load for a given page.

See here for more information:

• Content Security Policy (CSP) Quick Reference Guide
• Content Security Policy (CSP) - MDN Web Docs
• Content Security Policy - OWASP

Bayer Development Security Guidelines¶

Section 4.2.6 of the Bayer Development Security Guidelines states:

For public facing web sites and applications, all pages must include the following required headers (see Appendix B for acceptable values). This requirement is also in alignment with requirements by BitSight, a cybersecurity scanning organization that publishes overall scores for companies like Bayer. Incorrect or unset HTTP headers found on public facing web sites significantly contributes to Bayer’s reduction in score.

a. Cache-Control (a “no-cache” directive is sufficient) b. Content-Security-Policy c. Expires d. HTTP Strict-Transport-Security e. X-Content-Type-Options

Whereby the following rules apply to the Content-Security-Policy header:

1. Must not use “unsafe-eval”, “unsafe-inline”, or “unsafe-redirect” keywords.
2. Must not use “blob”, “data”, or “filesystem” as source list.
3. Must not use the asterisk character by itself.
4. Must choose either “none” or specify URLs, but not both.
5. Must use “default-src” directive.
6. Directives can only be used once.
7. Source-list, if used must not be empty.
8. Must only be used once.

See Implementation for HortiView Platform and Implementation for Vendor Modules for more details on the current implementation of the CSP header in Bayer HortiView and what it means for vendor modules, as well as challenges and future work to further enhance the security posture of Bayer HortiView.