Closed mzur closed 3 years ago
Implement a content security policy. The way we use Vue and inline scripts requires all (?) script-src
permissions. This is a draft of a CSP that could work (add it to vhost.conf
and vhost-no-ssl.conf
):
add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; form-action 'self'; object-src 'none'; frame-ancestors 'none'";
We should also implement an API endpoint that accepts report-uri
warnings. The warnings should be converted to log error messages so we can detect any unintended CSP violations.
Maybe we can add script-src 'self' 'unsafe-inline' 'unsafe-eval';
, this at least disallows data: and unsafe hashes.
Also we could add https:
to script-src
, style-src
and form-action
in case of vhost.conf
(not vhost-no-ssl.conf
).
I ditched the more advanced CSP as it involves too much work.
Issue 1: We have to implement a new public endpoint to accept CSP violation reports. This endpoint could potentially be used as DDoS target because it writes the report directly to the logs.
Issue 2: The CSP report is sent with content type application/csp-report
. This is not recognized and not parsed as JSON by Laravel.
I've now implemented the following CSP which I validated with some manual testing:
form-action 'self'; object-src 'none'; frame-ancestors 'none'
These reports recommend improvements for the webserver settings:
Implement them if possible.