Content-Security-Policy-Vulnerability/EN/Solution Tips: Unterschied zwischen den Versionen

Aus Siwecos
Wechseln zu: Navigation, Suche
 
(4 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
If the Content Security Policy is not configured securely, your web application may load content from insecure sources.
 +
 
Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about '''Content Security Policy''', please refer to '''[https://wiki.selfhtml.org/wiki/Sicherheit/Content_Security_Policy SELFHTML>>]'''
 
Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about '''Content Security Policy''', please refer to '''[https://wiki.selfhtml.org/wiki/Sicherheit/Content_Security_Policy SELFHTML>>]'''
  
 +
'''Example for the [[Header/EN|header]] on the start page:'''
  
--snip<br>
+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
 
+
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
'''Example for the header on the start page:'''
+
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">
 
 
<pre>
 
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
 
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
 
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'"></pre>
 
  
 
'''Configuration of the web server'''
 
'''Configuration of the web server'''
Zeile 15: Zeile 13:
 
If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via '''changes to .htaccess''':
 
If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via '''changes to .htaccess''':
  
<pre># Download / Load content only from explicitly allowed sites
+
# Download / Load content only from explicitly allowed sites
# Example: Allow everything from own domain, nothing from external sources:
+
# Example: Allow everything from own domain, nothing from external sources:
 
 
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"
 
 
 
</pre>
 
  
--snap
+
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"
  
Here is an example of an .htaccess file which will set the '''HTTP-Security-Header-Scanner''' to green.
+
Here is an example of an .htaccess file which will set the '''Header Scanner''' to green.
([[Htaccess|.htaccess example (German only)]])
+
([[Htaccess/EN|.htaccess example]])

Aktuelle Version vom 8. April 2019, 08:53 Uhr

If the Content Security Policy is not configured securely, your web application may load content from insecure sources.

Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about Content Security Policy, please refer to SELFHTML>>

Example for the header on the start page:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">

Configuration of the web server

If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via changes to .htaccess:

# Download / Load content only from explicitly allowed sites
# Example: Allow everything from own domain, nothing from external sources:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)