Content Security Policy - agileChilli

Today’s update is about something that you as a user will probably never notice and wouldn’t have known about if it wasn’t for this post. There are no new features, behavioural or graphical changes.

However it is something we’ve deemed so important that it’s been worth spending the past year on. Work started in March 2018 and has just been completed.

So what is it? In a word, a Content Security Policy (CSP) has been implemented for the agileBase web app. In plain English, that’s a security mechanism that, when someone’s logged in, prevents unwanted code from running. Only specific places, like our own server and a couple of whitelisted services we use (e.g. Google to display maps) are allowed to serve code to the browser. This protects user data against a number of possible attacks.

If you want a fuller technical explanation Scott Helme has a good intro here:

https://scotthelme.co.uk/content-security-policy-an-introduction/

and Google explain well why CSPs are so important:

https://developers.google.com/web/fundamentals/security/csp/

CSPs aren’t yet widely used on the general web – in 2018, only three to four percent of the Alexa top 100 websites had a policy enabled. Why’s that? Simply put, it’s often a lot of work to back-fill support into existing sites. A lot of low level things need to be changed – the larger and more complex the system, the more there is to do. On ours there were many hundreds of tweaks necessary, many straightforward but some complex to deal with.

Now it’s live though, we’re very happy to be an early adopter in the knowledge that customer data remains protected using the latest standards and tools.

However, we never rest on our laurels, we’ll be continuing to push data security and privacy by encouraging more use of Two-Factor Authentication by users as well as other measures you may hear about on this blog in future!

Source: Agilebase