search

github / secure_headers

Manages application of security headers with many safe defaults
MIT License
3.17k stars 252 forks source link

Set `default-src` CSP Attribute to `none` by default #482

Open rzhade3 opened 2 years ago

rzhade3 commented 2 years ago

At GitHub, we set the default-src CSP attribute to none. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.

It would be desirable to set this default in secure_headers as well:

https://github.com/github/secure_headers/blob/7f89df2dafb22f1833702eef4a01d4794b2066f0/lib/secure_headers/headers/content_security_policy_config.rb#L133

This would be a breaking change, so if this is desirable, this would fit well in with https://github.com/github/secure_headers/issues/480

vcsjones commented 2 years ago

At GitHub, we set the default-src CSP attribute to none. This provides the strictest possible CSP as it'll thus only allow CSP directives that the user explicitly has allowlisted.

I see the idea, but I wonder if we should have a broader “defaults” feature. For example, base-uri is a weird one. It by default allows any URI, and does not respect default-src. So maybe in that spirit we want to provide a base-uri with a default unless specifically stated, or OPT_OUT or something along those lines.