Bird
Raised Fist0
Cybersecurityknowledge~20 mins

Content Security Policy (CSP) in Cybersecurity - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualPracticeChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
CSP Mastery Badge
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
What is the primary purpose of Content Security Policy (CSP)?

Choose the best description of what CSP is designed to do.

ATo manage user authentication and sessions
BTo prevent unauthorized scripts and resources from loading on a web page
CTo speed up website loading by caching resources
DTo encrypt all data sent between a browser and server
Attempts:
2 left
💡 Hint

Think about how CSP controls what content a browser can load.

📋 Factual
intermediate
2:00remaining
Which HTTP header is used to implement Content Security Policy?

Select the correct HTTP header name that delivers CSP rules to browsers.

AX-Content-Security-Policy
BX-Frame-Options
CStrict-Transport-Security
DContent-Security-Policy
Attempts:
2 left
💡 Hint

Look for the header that directly mentions 'Content-Security-Policy'.

🔍 Analysis
advanced
2:00remaining
What will happen if a CSP rule includes script-src 'self' but the page tries to load an inline script?

Analyze the effect of this CSP directive on inline scripts.

AThe inline script will run only if it has a nonce attribute
BThe inline script will run normally without restrictions
CThe inline script will be blocked and not executed
DThe inline script will run only if it is loaded from an external trusted domain
Attempts:
2 left
💡 Hint

Consider what 'self' allows and how inline scripts are treated by default.

Comparison
advanced
2:00remaining
Compare the difference between default-src and script-src directives in CSP.

Which statement correctly explains their relationship?

A<code>default-src</code> sets fallback rules for all resource types; <code>script-src</code> overrides it specifically for scripts
B<code>script-src</code> sets fallback rules for all resource types; <code>default-src</code> overrides it specifically for scripts
CBoth directives control the same resources and have equal priority
D<code>default-src</code> only controls images; <code>script-src</code> controls scripts
Attempts:
2 left
💡 Hint

Think about how CSP applies general and specific rules.

Reasoning
expert
2:00remaining
Given this CSP header: Content-Security-Policy: default-src 'none'; img-src https://images.example.com; script-src 'self' 'nonce-abc123', which of the following is true?

Analyze which resources are allowed to load or execute.

AOnly images from https://images.example.com; scripts from the same origin or with nonce 'abc123' are allowed; all other resources are blocked
BAll images and scripts from any source are allowed because of the nonce
CScripts from any origin are allowed if they have the nonce; images from any source are allowed
DNo resources are allowed because default-src is 'none'
Attempts:
2 left
💡 Hint

Consider how each directive limits resource loading and the role of 'none' in default-src.

Practice

(1/5)
1. What is the main purpose of Content Security Policy (CSP) on a website?
easy
A. To store user passwords securely
B. To speed up the website loading time
C. To change the website's layout and design
D. To control which content the website is allowed to load

Solution

  1. Step 1: Understand CSP's role in security

    CSP is designed to restrict what content (like scripts, images) a website can load to prevent harmful content.

  2. Step 2: Compare options with CSP purpose

    Only controlling content loading matches CSP's main goal; speeding up or design changes are unrelated.

  3. Final Answer:

    To control which content the website is allowed to load -> Option D

  4. Quick Check:

    CSP controls content loading = A [OK]
Hint: CSP controls content loading to block harmful scripts [OK]
Common Mistakes:
  • Confusing CSP with website speed optimization
  • Thinking CSP manages website design
  • Assuming CSP stores user data
2. Which HTTP header is used to set a Content Security Policy?
easy
A. X-Content-Type-Options
B. Content-Security-Policy
C. Strict-Transport-Security
D. Cache-Control

Solution

  1. Step 1: Identify CSP header name

    The official header to set CSP rules is named Content-Security-Policy.

  2. Step 2: Eliminate unrelated headers

    X-Content-Type-Options controls MIME sniffing, Strict-Transport-Security enforces HTTPS, and Cache-Control manages caching, none set CSP.

  3. Final Answer:

    Content-Security-Policy -> Option B

  4. Quick Check:

    CSP header = Content-Security-Policy [OK]
Hint: CSP header is exactly 'Content-Security-Policy' [OK]
Common Mistakes:
  • Confusing CSP header with security headers like HSTS
  • Using Cache-Control as CSP header
  • Mixing up header names with similar security headers
3. Given this CSP directive:
Content-Security-Policy: script-src 'self' https://trusted.com;
Which script source is allowed to run on the website?
medium
A. Scripts only from https://trusted.com
B. Scripts from any website
C. Only scripts from the website itself and https://trusted.com
D. No scripts are allowed

Solution

  1. Step 1: Understand the directive meaning

    The directive script-src 'self' https://trusted.com; means scripts can load from the same origin ('self') and from https://trusted.com.

  2. Step 2: Analyze options against directive

    Only scripts from the website itself and https://trusted.com correctly states scripts allowed from the website itself and trusted.com; others are incorrect or too broad.

  3. Final Answer:

    Only scripts from the website itself and https://trusted.com -> Option C

  4. Quick Check:

    script-src 'self' + trusted.com = A [OK]
Hint: 'self' means own site; listed URLs are allowed too [OK]
Common Mistakes:
  • Assuming all external scripts are allowed
  • Ignoring the 'self' keyword meaning
  • Thinking no scripts are allowed due to strictness
4. A website sets this CSP header:
Content-Security-Policy: default-src 'none'; img-src https://images.com;
Why might images from the website itself not load?
medium
A. Because default-src 'none' blocks all sources except those explicitly allowed
B. Because img-src allows images from all sources
C. Because the header syntax is incorrect
D. Because images are blocked by browser settings

Solution

  1. Step 1: Understand default-src 'none'

    The directive default-src 'none' blocks all content sources unless specifically allowed.

  2. Step 2: Analyze img-src directive

    Only images from https://images.com are allowed; images from the website itself are not allowed because 'self' is not included.

  3. Final Answer:

    Because default-src 'none' blocks all sources except those explicitly allowed -> Option A

  4. Quick Check:

    default-src 'none' blocks all except allowed = D [OK]
Hint: default-src 'none' blocks all except listed sources [OK]
Common Mistakes:
  • Assuming img-src allows all images by default
  • Thinking header syntax is wrong without checking directives
  • Blaming browser settings instead of CSP rules
5. You want to allow scripts only from your own site and block inline scripts to prevent XSS attacks. Which CSP directive correctly achieves this?
hard
A. Content-Security-Policy: script-src 'self';
B. Content-Security-Policy: script-src 'self' 'unsafe-inline';
C. Content-Security-Policy: script-src *;
D. Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline';

Solution

  1. Step 1: Understand blocking inline scripts

    To block inline scripts, do not include 'unsafe-inline' in the script-src directive.

  2. Step 2: Analyze options for script sources

    Content-Security-Policy: script-src 'self'; allows scripts only from the website itself ('self') and blocks inline scripts by omission of 'unsafe-inline'. Content-Security-Policy: script-src 'self' 'unsafe-inline'; allows inline scripts, C allows all scripts, and D allows inline scripts but blocks others.

  3. Final Answer:

    Content-Security-Policy: script-src 'self'; -> Option A

  4. Quick Check:

    Allow 'self' only, no 'unsafe-inline' = B [OK]
Hint: Exclude 'unsafe-inline' to block inline scripts [OK]
Common Mistakes:
  • Including 'unsafe-inline' which allows inline scripts
  • Using wildcard * which allows all scripts
  • Misunderstanding default-src vs script-src directives