flatpressblog / flatpress

FlatPress is a lightweight, easy-to-set-up flat-file blogging engine.
https://flatpress.org
GNU General Public License v2.0
185 stars 57 forks source link

Harden the response header for browsers #146

Closed Fraenkiman closed 1 year ago

Fraenkiman commented 2 years ago

Hello, everyone,

Since some of the Flatpress users would like to offer visitors a certain level of security when visiting the FlatPress Blog, but may not know how, certain security guidelines can already be integrated into FlatPress. Headers such as Content-Security-Policy and x-Frame-Options can thwart common hacks like a clickjacking attack.

I took the liberty of adapting the defaults.php file from the current master branch. Brief description of the adjustment:

added in line 124 ini_set('session.cookie_samesite', 'Lax');

Added lines 156 to 162

header("Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' data:; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; frame-ancestors 'self'; manifest-src 'self'; worker-src 'self' blob:; frame-src 'self' data:; connect-src 'self' blob:; media-src 'self' blob:; child-src 'self' blob:; form-action 'self';");
header("X-Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' data:; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; frame-ancestors 'self'; manifest-src 'self'; worker-src 'self' blob:; frame-src 'self' data:; connect-src 'self' blob:; media-src 'self' blob:; child-src 'self' blob:; form-action 'self';");
header("X-WebKit-CSP: default-src 'self'; base-uri 'self'; font-src 'self' data:; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; frame-ancestors 'self'; manifest-src 'self'; worker-src 'self' blob:; frame-src 'self' data:; connect-src 'self' blob:; media-src 'self' blob:; child-src 'self' blob:; form-action 'self';");
header("Permissions-Policy: interest-cohort=(), autoplay=(self), camera=(self), fullscreen=(self), geolocation=(self), microphone=(self), payment=(),");
header("Feature-Policy: interest-cohort 'none'; autoplay 'self'; camera 'self'; fullscreen 'self'; geolocation 'self'; microphone 'self'; payment 'none';");
header('X-Permitted-Cross-Domain-Policies: none');
header('X-Download-Options: noopen');

A before and after test can be carried out here, among other things. I am happy to provide the adapted file for testing on a test system.

defaults.zip

Best Regards Frank

DJPVMA commented 2 years ago

I have a question. When I added this, it blocked fontawesome.


Please, see attached browser warnings below:


Error with Feature-Policy header: Origin trial controlled feature not enabled: 'interest-cohort'.


Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser. Refused to load the script 'https://kit.fontawesome.com/4c5a3ae49c.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' blob:". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.


  1. Content Security Policy of your site blocks some resources
    1. Some resources are blocked because their origin is not listed in your site's Content Security Policy (CSP). Your site's CSP is allowlist-based, so resources must be listed in the allowlist in order to be accessed.

      A site's Content Security Policy is set either as via an HTTP header (recommended), or via a meta HTML tag.

      To fix this issue do one of the following:

      • (Recommended) If you're using an allowlist for 'script-src', consider switching from an allowlist CSP to a strict CSP, because strict CSPs are more robust against XSS . See how to set a strict CSP .
      • Or carefully check that all of the blocked resources are trustworthy; if they are, include their sources in the CSP of your site. ⚠️Never add a source you don't trust to your site's CSP. If you don't trust the source, consider hosting resources on your own site instead.
    2. AFFECTED RESOURCES
      1. 1 directive
        1. Resource | Status | Directive | Source Location -- | -- | -- | -- https://kit.fontawesome.com/4c5a3ae49c.js | blocked | script-src-elem | admin.php:0
Fraenkiman commented 2 years ago

Hallo @DJPVMA ,

Possibly fontawesome uses FLoC. I recommend blocking FLoC by default for security reasons. This is done via the header

Permissions-Policy: interest-cohort= ()

The new feature is not yet implemented in all Chrome browsers. If the message is displayed, the browser does not know the new header. Other browsers ignore it and therefore display nothing.

From a data protection point of view, it may make sense to make fonts and icons available locally on your own web server.

If you have an alternative to harden the response header for major browsers, let me know right away. Any suggestion is welcome.

With best regards Frank