Add strict Content Security Policy (CSP) #777

Open
opened 1 month ago by HexagonCDN · 1 comments

Quote from https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fcodeberg.org:

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes).

— MDN: Content Security Policy (CSP), Mozilla Contributors, CC BY-SA 2.5

The recommended way to enable Content Security Policy is with the Content-Security-Policy HTTP header, e.g.:

Content-Security-Policy: default-src 'self'

It can also be enabled with an HTML <meta> element:

<meta http-equiv="Content-Security-Policy" content="script-src 'self'">

CSP is a powerful mechanism that we strongly recommend. It allows for very fine-grained control. However, creating a good policy (or adjusting your site to work with a good policy) can take some time and effort. To make this easier, it's possible to use CSP in report-only mode.

See the following pages for more information:

Quote from https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fcodeberg.org: >> Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. >> >> A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust of the content received from the server. Malicious scripts are executed by the victim's browser because the browser trusts the source of the content, even when it's not coming from where it seems to be coming from. >> >> CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those whitelisted domains, ignoring all other script (including inline scripts and event-handling HTML attributes). > > — MDN: [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP), Mozilla Contributors, [CC BY-SA 2.5](http://creativecommons.org/licenses/by-sa/2.5/) > > > The recommended way to enable Content Security Policy is with the `Content-Security-Policy` HTTP header, e.g.: > >``` >Content-Security-Policy: default-src 'self' >``` > > It can also be enabled with an HTML `<meta>` element: >``` ><meta http-equiv="Content-Security-Policy" content="script-src 'self'"> >``` > > CSP is a powerful mechanism that we strongly recommend. It allows for very fine-grained control. However, creating a good policy (or adjusting your site to work with a good policy) can take some time and effort. To make this easier, it's possible to use CSP in report-only mode. > > See the following pages for more information: > * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > * https://developers.google.com/web/fundamentals/security/csp/ > * https://scotthelme.co.uk/csp-cheat-sheet/ > * https://report-uri.com/home/tools > * https://csp-evaluator.withgoogle.com/ > * https://www.w3.org/TR/CSP2/ > * https://www.w3.org/TR/CSP3/ > * https://caniuse.com/#search=CSP
HexagonCDN changed title from Add strong Content Security Policy (CSP) to Add strict Content Security Policy (CSP) 1 month ago
Poster

@Gusted Add 'Security' label to this issue?

@Gusted Add ['Security'](https://codeberg.org/Codeberg/Community/issues?labels=15256) label to this issue?
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Codeberg/Community#777
Loading…
There is no content yet.