haiwen / seahub

The web end of seafile server.
seafile.com
Other
529 stars 370 forks source link

Content Security Policy (CSP) Header Not Set #6246

Closed MarioBinder closed 5 months ago

MarioBinder commented 5 months ago

Content Security Policy (CSP) Header Not Set Server Version: 10.0.1

Description Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

Solution Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

References: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html https://www.w3.org/TR/CSP/ https://w3c.github.io/webappsec-csp/ https://web.dev/articles/csp https://caniuse.com/#feat=contentsecuritypolicy https://content-security-policy.com/

freeplant commented 5 months ago

Content security policy can be set in Nginx configuration according your own need. It is not part of Seafile.