Content-Security-Policy-Vulnerability/EN

Aus Siwecos
Wechseln zu: Navigation, Suche

Check of the Content Security Policy (CSP)

If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.

Result positive A secure configuration of the Content Security Policy (CSP) was found.
Result negativ Content Security Policy insecure
Description The Content Security Policy (CSP) is a security concept that is designed to reduce the risk of injection and execution of malicious commands in a web application (content injection attacks). By means of a whitelist (list of allowed sources), it determines from which sources Javascript code, images, fonts, and other content may be integrated into your site.
Background Content Security Policy (CSP) requires careful coordination and precise definition of the security concept. If this option is enabled, CSP has considerable impact on the way the browser renders pages (for example, inline Javascript is disabled by default and must be allowed explicitly in the policy). CSP can prevend a number of attachs such as cross-site scripting and other attacks which inject data in web pages.
Consequence The Content Security Policy is a powerful way to increase the security on web pages. It is important to know that the list should be checked regularly (prevents injection of external content or code). On the other hand, it is rarely possible to integrate a secure CSP header without modifying the source code of the web page.
Solution/Tips If the Content Security Policy is not configured securely, your web application may load content from insecure sources.

Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about Content Security Policy, please refer to SELFHTML>>

Example for the header on the start page:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">

Configuration of the web server

If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via changes to .htaccess:

# Download / Load content only from explicitly allowed sites
# Example: Allow everything from own domain, nothing from external sources:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)