search

bnomei / kirby3-security-headers

Kirby Plugin for easier Security Headers setup
https://forum.getkirby.com/t/kirby3-security-headers-best-practice-headers-nonce-csp-and-feature-policies/23583
MIT License
26 stars 2 forks source link

Configured CSP header is ignored #17

Closed qroac closed 2 years ago

qroac commented 4 years ago

Kirby v3, security headers plugin and dependencies installed via composer in the most recent versions by the time of writing.

I set up this plugin to output CSP headers matching required hostnames from the website like this:

'bnomei.securityheaders.headers' => [
        "X-Powered-By" => "", // unset
        "X-Frame-Options" => "SAMEORIGIN",
        "X-XSS-Protection" => "1; mode=block",
        "X-Content-Type-Options" => "nosniff",
        "strict-transport-security" => "max-age=31536000; includeSubdomains",
        "Referrer-Policy" => "no-referrer-when-downgrade",
        // Generated with https://www.cspisawesome.com/content_security_policies
        "Content-Security-Policy" => "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' stats.autark-app.de www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com; frame-src www.google.com; font-src 'self' fonts.gstatic.com; connect-src 'self'",
        "X-Content-Security-Policy" => "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' stats.autark-app.de www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com; frame-src www.google.com; font-src 'self' fonts.gstatic.com; connect-src 'self'",
        "X-WebKit-CSP" => "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' stats.autark-app.de www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: a.basemaps.cartocdn.com b.basemaps.cartocdn.com c.basemaps.cartocdn.com; frame-src www.google.com; font-src 'self' fonts.gstatic.com; connect-src 'self'",
    ],

But it seems to be ignored, as the headers sent to the browser are these:

Content-Security-Policy: base-uri 'self'; default-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src; img-src 'self' data:; media-src 'none'; object-src 'none'; script-src 'self' 'nonce-MTc1NWZjOGY1NDRiNmE0MmI3MjM1ZGUxNTdiZmI3MjU5YzgxNDMwYg=='; style-src 'self' 'nonce-MTc1NWZjOGY1NDRiNmE0MmI3MjM1ZGUxNTdiZmI3MjU5YzgxNDMwYg=='; worker-src; upgrade-insecure-requests
bnomei commented 4 years ago

sorry to respond so late...

the headers option does not handle the csp headers. the csp headers you are seeing is from default loader.json. you can either

1) use the loader with a custom json file or 2) just use the setter callback

bnomei commented 4 years ago

that behavior intended since this plugin was created to use a json or lib to avoid writing the csp by hand.