How does CSP protect EUDI Wallet web applications?

CSP protects EUDI Wallet web applications by strictly controlling what code can execute in the browser. A properly configured CSP policy prevents inline scripts from executing (blocking most XSS attacks), restricts scripts to only load from the application own domain and trusted CDNs, prevents the page from being embedded in frames on other sites (defending against clickjacking), blocks connections to unauthorized external servers (preventing data exfiltration), and controls which form action URLs are permitted (protecting credential submission forms). For example, a CSP header might specify: script-src self https://trusted-cdn.eu; connect-src self https://wallet-api.eudi.eu; frame-ancestors none. This ensures only scripts from the application domain and trusted CDN can execute, API calls only go to the wallet backend, and the page cannot be framed by other sites.

What CSP directives are most important for EUDI Wallet services?

The most critical CSP directives for EUDI services are: script-src (controls JavaScript sources -- should never include unsafe-inline in production), connect-src (controls which URLs JavaScript can connect to -- limits API communication to authorized wallet endpoints), frame-ancestors (prevents clickjacking -- typically set to none or self), form-action (controls where forms can submit data -- critical for credential submission flows), and default-src (fallback policy for any unspecified directive -- typically set to self). Additionally, upgrade-insecure-requests ensures all resources load over HTTPS.

What is CSP reporting and why is it useful for EUDI Wallet monitoring?

CSP supports a reporting mechanism where browsers send JSON reports to a specified endpoint whenever a CSP violation occurs. By setting the report-uri or report-to directive, EUDI Wallet operators receive real-time alerts when something tries to violate their security policy -- which could indicate an XSS attack attempt, a compromised CDN, or a misconfigured integration. Operators can use report-only mode during deployment to monitor violations without blocking them, then switch to enforcement mode once the policy is validated. This provides continuous security monitoring for wallet web services.

CSP (Content Security Policy) - EUDI Wallet Glossary

CSP

security

Full Name: Content Security Policy

Definition

Content Security Policy (CSP) is a security standard implemented via HTTP headers that defines which content sources are allowed on a web page. CSP prevents cross-site scripting (XSS), clickjacking, and other code injection attacks by whitelisting trusted content origins. For EUDI Wallet web applications, CSP is a mandatory security control that protects credential verification portals and wallet management interfaces.

How CSP Works

CSP works by adding an HTTP response header (Content-Security-Policy) to web pages served by the EUDI Wallet web application. This header contains a policy string composed of directives, each controlling a specific type of resource. When the browser loads the page, it parses the CSP header and enforces the policy for all subsequent resource loads and script executions.

For example, if the policy specifies script-src 'self', the browser will only execute JavaScript files loaded from the same origin as the page. Any attempt to execute an inline script, load a script from a different domain, or use eval() will be blocked. This is the primary defense against XSS attacks, where an attacker injects malicious scripts into web pages.

CSP operates on a whitelist model -- everything is blocked unless explicitly allowed. This is fundamentally more secure than a blacklist approach, as it protects against unknown attack vectors. New attack techniques that rely on loading resources from external domains are automatically blocked if those domains are not whitelisted.

CSP Implementation for EUDI Wallet Portals

EUDI Wallet web portals handle sensitive operations: credential presentation requests, identity verification flows, and consent management interfaces. A strong CSP implementation for these portals typically includes:

•Strict script control: script-src 'self' with nonce-based exceptions for necessary inline scripts. This blocks all unauthorized JavaScript execution while allowing the application own scripts to function.
•API connection restrictions: connect-src limiting XMLHttpRequest and fetch calls to authorized EUDI Wallet API endpoints only.
•Frame protection: frame-ancestors 'none' preventing the wallet interface from being embedded in malicious sites for clickjacking attacks.
•Form action control: form-action 'self' ensuring credential data can only be submitted to the application own endpoints.

CSP and Defense in Depth for EUDI Services

CSP is one layer in a defense-in-depth security strategy for EUDI Wallet web services. It works alongside other security headers and mechanisms:

•HSTS (HTTP Strict Transport Security): Ensures all connections use HTTPS, preventing protocol downgrade attacks.
•CORS: Controls which external domains can make API requests to wallet services.
•CSRF tokens: Prevent cross-site request forgery attacks on wallet management operations.
•Subresource Integrity (SRI): Ensures CDN-hosted scripts have not been tampered with by verifying their cryptographic hash.

Together, these mechanisms create multiple barriers that an attacker must overcome, significantly reducing the risk of successful web-based attacks against EUDI Wallet infrastructure.

What is CSP?

CSP: Content Security Policy for EUDI Wallet Web Security

CSP

Definition

How CSP Works

CSP Implementation for EUDI Wallet Portals

CSP and Defense in Depth for EUDI Services

Related Terms

XSS

CORS

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ XSS

→ CORS

Quellen

⚠️ Independent Information