Content Security Policy (CSP)

​

CSP is a great feature of modern browser, it is 100% supported by dappy. A major difference though is that the web servers have no control over it, the CSP is not defined by the HTTP headers on the first top level navigation request, neither are they defined by html meta tags. CSP rules are defined at the name system level, making it rock solid and impossible to change by any MITM attack or server intrusion.

See Mozilla's documentation on CSP​

​Our implementation​

An example of property .csp in the configuration for a name "mysite":

{
...
csp: "default-src 'self' mysite; script-src https://mysite; img-src https://mysite https://mysecondsite"
}