Content-Security-Policy-Vulnerability/EN/Solution Tips: Unterschied zwischen den Versionen

Aus Siwecos
Wechseln zu: Navigation, Suche
Zeile 2: Zeile 2:
  
 
Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about '''Content Security Policy''', please refer to '''[https://wiki.selfhtml.org/wiki/Sicherheit/Content_Security_Policy SELFHTML>>]'''
 
Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about '''Content Security Policy''', please refer to '''[https://wiki.selfhtml.org/wiki/Sicherheit/Content_Security_Policy SELFHTML>>]'''
 
 
--snip<br>
 
  
 
'''Example for the header on the start page:'''
 
'''Example for the header on the start page:'''
  
<pre>
+
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
+
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
+
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'"></pre>
 
  
 
'''Configuration of the web server'''
 
'''Configuration of the web server'''
Zeile 17: Zeile 13:
 
If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via '''changes to .htaccess''':
 
If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via '''changes to .htaccess''':
  
<pre># Download / Load content only from explicitly allowed sites
+
# Download / Load content only from explicitly allowed sites
# Example: Allow everything from own domain, nothing from external sources:
+
# Example: Allow everything from own domain, nothing from external sources:
 
 
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"
 
 
 
</pre>
 
  
--snap
+
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"
  
 
Here is an example of an .htaccess file which will set the '''Header Scanner''' to green.
 
Here is an example of an .htaccess file which will set the '''Header Scanner''' to green.
 
([[Htaccess/EN|.htaccess example]])
 
([[Htaccess/EN|.htaccess example]])

Version vom 4. April 2019, 11:13 Uhr

If the Content Security Policy is not configured securely, your web application may load content from insecure sources.

Use the CSP with default-src 'none' or 'self' and without unsafe-eval or unsafe-inline directives. For more information about Content Security Policy, please refer to SELFHTML>>

Example for the header on the start page:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-Content-Security-Policy" content="default-src 'self'; script-src 'self'">
<meta http-equiv="X-WebKit-CSP" content="default-src 'self'; script-src 'self'">

Configuration of the web server

If you can configure your own web server, which is usually not possible in low-budget hosting packages, there is this option via changes to .htaccess:

# Download / Load content only from explicitly allowed sites
# Example: Allow everything from own domain, nothing from external sources:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self';img-src 'self' siwecos.de; object-src 'self'; script-src 'self'; style-src 'self';"

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)