Versions Compared

Old Version 25

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 26

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Adds a Content Security Policy

The main tool we recommend is https://securityheaders.io

Though this is not only about HTTP headers browserscope.org gives interesting view on what is supported by top browsers

Here is the state we had (2015-12-12):

...

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

Though this is not only about HTTP headers browserscope.org gives interesting view on what is supported by top browsers

X-Frame-Options

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

...

To use in custom project only. Public-Key-Pins-Report-Only is interesting but can't be used OOTB because of demos (the letsencrypt certificate is renewed every 3 months)

Content Security Policy

I'd like to use the safer one OOTB, ie in Java: resp.setHeader("Content-Security-Policy", "default-src 'self'");

This means that all resources links should be local. The resources types are: script, object (plugins), style, img, media, frame, font, connect and form.

No need to say that it's very ambitious and not for today.

The 1st task to handle is to remove as much as possible JavaScript snippets and have as much as possible JavaScript files.

There are already few Jiras about that and we are slowly heading in the right direction.

It's not sure we can reach this very ambitious goal and the good news is that it's not a problem if we don't.

When we will hit cases where local it's not possible then we can define so called nonce to be sure the resources are loaded from the right place.

In no case we should OOTB use the lazy unsafe-inline and eval-inline

To not block anything for the moment I have committed a simple most restrictive Content-Security-Policy-Report-Only header at r1812720

Then we can look at the issues using browsers tools (there are so much)

The next step is to report the errors (when there will not be too much) in the log using a report-uri

And ultimately to use OOTB the most simple and constraining policy, with exceptions of course (as ever).

Note: if we encounter performance issue we can comment out the current Content-Security-Policy-Report-Only

https://scotthelme.co.uk/content-security-policy-an-introduction/

https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy

https://csp.withgoogle.com/docs/adopting-csp.html

https://content-security-policy.com/

Related Jira issues:

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-6759

...