Content-Security-Policy-Vulnerability/EN/Solution Tips: Unterschied zwischen den Versionen
(5 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
− | + | If the Content Security Policy is not configured securely, your web application may load content from insecure sources. | |
+ | Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about '''Content Security Policy''', please refer to '''[https://wiki.selfhtml.org/wiki/Sicherheit/Content_Security_Policy SELFHTML>>]''' | ||
− | + | '''Example for the [[Header/EN|header]] on the start page:''' | |
− | + | <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'"> | |
− | + | <meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'"> | |
− | + | <meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'"> | |
− | <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'"> | ||
− | <meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'"> | ||
− | <meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'" | ||
'''Configuration of the web server''' | '''Configuration of the web server''' | ||
Zeile 15: | Zeile 13: | ||
If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via '''changes to .htaccess''': | If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via '''changes to .htaccess''': | ||
− | + | # Download / Load content only from explicitly allowed sites | |
− | # Example: Allow everything from own domain, nothing from external sources: | + | # Example: Allow everything from own domain, nothing from external sources: |
− | |||
− | |||
− | |||
− | |||
− | -- | + | Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';" |
− | Here is an example of an .htaccess file which will set the ''' | + | Here is an example of an .htaccess file which will set the '''Header Scanner''' to green. |
− | ([[Htaccess|.htaccess example | + | ([[Htaccess/EN|.htaccess example]]) |
Aktuelle Version vom 8. April 2019, 09:53 Uhr
If the Content Security Policy is not configured securely, your web application may load content from insecure sources.
Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about Content Security Policy, please refer to SELFHTML>>
Example for the header on the start page:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'"> <meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'"> <meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">
Configuration of the web server
If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via changes to .htaccess:
# Download / Load content only from explicitly allowed sites # Example: Allow everything from own domain, nothing from external sources:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"
Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)