๐Ÿ›ก๏ธ CSP is active โ€” violations are blocked and reported
โ† All demos ยท CSP Demo 3 of 4

Form Hijacking

A rogue script has redirected the login form to an attacker's server. Your credentials go straight to them โ€” unless CSP is watching.

โšช Unprotected ๐ŸŸข Protected
Protected โ€” CSP blocked the form from posting to an external domain

Sign in

Please enter your credentials to continue

โœ… Form hijack blocked. CSP's form-action 'self' directive prevented the form from submitting to evil-cyber-hacker.com. The violation was reported to Report URI.
CSP header sent with this page
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; form-action 'self'; report-uri https://helios.report-uri.com/r/t/csp/enforce; report-to default
What CSP did

form-action 'self' restricts where forms on the page are allowed to submit. Even though the form's action attribute points to the attacker's server, the browser refuses to send the POST request and fires a CSP violation report instead.

โ† Demo 2
1 2 3 4
Demo 4 โ†’
๐Ÿ›ก๏ธ CSP blocked 0 attempt(s)