Content Security Policy Headers

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Content Security Policy Headers

Jason E Bailey-2
If you're not familiar with them

https://tools.ietf.org/html/rfc7231
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

I'm wondering if anyone has used the CSP to secure javascript and styles successfully in Sling and what techniques did they use to get there.

I'm about to raise an issue with our vendor because of lack of support, but I like to try to avoid tickets if necessary.

- Jason
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy Headers

Daniel Klco-2
Jason,

Rather than putting the headers in Sling, I'd recommend supplying the CSP
in your caching (httpd etc) layer. Something like this:

Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com"

   Header set X-XSS-Protection "1; mode=block"

   Header set X-Content-Type-Options "nosniff"

   Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com"

   Header set Content-Security-Policy "default-src https: data:
'unsafe-inline'"


I use this on my personal site and have an A rating:
https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F

Regards,
Dan


On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey <[hidden email]> wrote:

> If you're not familiar with them
>
> https://tools.ietf.org/html/rfc7231
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> I'm wondering if anyone has used the CSP to secure javascript and styles
> successfully in Sling and what techniques did they use to get there.
>
> I'm about to raise an issue with our vendor because of lack of support,
> but I like to try to avoid tickets if necessary.
>
> - Jason
>
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy Headers

Eric Norman-2
In reply to this post by Jason E Bailey-2
I set these headers (and HSTS header) with a simple servlet filter.

Regards,
Eric

On Fri, Jan 10, 2020, 9:26 AM Jason E Bailey <[hidden email]> wrote:

> If you're not familiar with them
>
> https://tools.ietf.org/html/rfc7231
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> I'm wondering if anyone has used the CSP to secure javascript and styles
> successfully in Sling and what techniques did they use to get there.
>
> I'm about to raise an issue with our vendor because of lack of support,
> but I like to try to avoid tickets if necessary.
>
> - Jason
>
Reply | Threaded
Open this post in threaded view
|

Re: Content Security Policy Headers

Jason E Bailey
In reply to this post by Daniel Klco-2
I should have been more specific. I have a security person who wants us to remove the unsafe-inline for the javascript.
This has taken up so much of my focus that I forget all about the rest of it.

To pull off the removal of the unsafe-inline you have to use hashes for the javascript or a nonce that changes every time you request the page. This is where my mind starts to explode.

--
Jason

On Fri, Jan 10, 2020, at 2:13 PM, Daniel Klco wrote:

> Jason,
>
> Rather than putting the headers in Sling, I'd recommend supplying the CSP
> in your caching (httpd etc) layer. Something like this:
>
> Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com"
>
>    Header set X-XSS-Protection "1; mode=block"
>
>    Header set X-Content-Type-Options "nosniff"
>
>    Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com"
>
>    Header set Content-Security-Policy "default-src https: data:
> 'unsafe-inline'"
>
>
> I use this on my personal site and have an A rating:
> https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F
>
> Regards,
> Dan
>
>
> On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey <[hidden email]> wrote:
>
> > If you're not familiar with them
> >
> > https://tools.ietf.org/html/rfc7231
> > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
> >
> > I'm wondering if anyone has used the CSP to secure javascript and styles
> > successfully in Sling and what techniques did they use to get there.
> >
> > I'm about to raise an issue with our vendor because of lack of support,
> > but I like to try to avoid tickets if necessary.
> >
> > - Jason
> >
>