17
votes

We're implementing HSTS on our backend API and I stumbled upon the Content Security Policy (CSP) header. This header tells the browser where from resources such as images, video, stylesheet, scripts and so on can be downloaded.

Since a backend API won't really display things in a browser, what's the value of having this header set?

1
No use at all. Why are you thinking to add this header? API is private and it won't ever be accessed through a browser.Adriano Repetti
Because I was reading this on a task to do, that someone had written. And since it sounded strange I just wanted to confirm.Jim Aho
@AdrianoRepetti in a spring application this will set off some automated scan warnings about a CWE-1173 vulnerability since it does not have a default CSP. It's mainly to appease infosec.buddyp450

1 Answers

24
votes

CSP is a technique designed to impair -attacks. That is, it is most useful in combination with serving hypermedia that relies on other resources being loaded with it. That is not exactly a scenario I would expect with an API. That is not to say you cannot use it. If there really is no interactive content in your responses, nothing could hold you from serving this header:

Content-Security-Policy: default-src 'none';

Going one step further, you could use CSP as some sort of makeshift Intrusion Detection System by setting report-uri in order to fetch incoming violation reports. That is well within the intended use but still a bit on the cheap.

In conclusion, it can theoretically improve the security of your API through little effort. Practically, the advantages may be slim to none. If you feel like it, there should be no harm in sending that header. You may gain more by e.g. suppressing MIME-type sniffing, though.

See also: The OWASP Secure Headers Project