Aus Siwecos
Version vom 4. Juli 2018, 10:08 Uhr von Siwebot (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=== <span style="color:#c31622">{{:{{PAGENAME}}/Headline}}<span>=== {| class="wikitable" |'''Check'''|| {{:{{PAGENAME}}/Negative}} |- |'''Beschreibung'''…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

Check of the Content Security Policy (CSP)

Check Content Security Policy insecure
Beschreibung The Content Security Policy (CSP) is a security concept that is designed to reduce the risk of injection and execution of malicious commands in a web application (content injection attacks). By means of a whitelist (list of allowed sources), it determines from which sources Javascript code, images, fonts, and other content may be integrated into your site.
Hintergrund Content Security Policy (CSP) requires careful coordination and precise definition of the security concept. When this option is enabled, CSP has a significant impact on the way the browser renders (composes) the pages. For example, inline JavaScript is disabled by default and must be explicitly allowed in the policy. The CSP can help mitigate code injection attacks.
Auswirkung The Content Security Policy is a powerful way to increase the security on web pages. On the other hand, it is rarely possible to integrate a secure CSP header without modifying the source code of the web page.
Lösung / Tipps If the Content Security Policy is not configured securely, your web application may load content from insecure sources.

Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about Content Security Policy, please refer to SELFHTML>>

Example for the header on the start page:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">

Configuration of the web server

If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via changes to .htaccess:

# Download / Load content only from explicitly allowed sites
# Example: Allow everything from own domain, nothing from external sources:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';"

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)

[[Category: ]]