Question about how to solve error: `Config.CSP: Missing Content-Security-Policy - High Confidence`

[pdgonzalez872]

I just created a fresh phx application and added sobelow. I then ran the below:

my-app [my-branch] :> mix sobelow
##############################################
#                                            #
#          Running Sobelow - v0.10.1         #
#  Created by Griffin Byatt - @griffinbyatt  #
#     NCC Group - https://nccgroup.trust     #
#                                            #
##############################################

Config.CSP: Missing Content-Security-Policy - High Confidence
File: lib/my_app_web/router.ex
Pipeline: browser
Line: 9

-----------------------------------------------

Config.HTTPS: HTTPS Not Enabled - High Confidence

-----------------------------------------------

... SCAN COMPLETE ...

Looking at the help, I was pointed to: https://hexdocs.pm/phoenix/Phoenix.Controller.html#put_secure_browser_headers/2

But, I'm not exactly sure how to fix this issue here. After doing some research, there is some discussion that folks either disable the check or implement some in-house solution: https://elixirforum.com/t/working-content-security-policy-for-phoenix-channels/11443

When it comes to security I always defer to public and discussed solutions, since incorrect in-house solutions are usually the ones that end up failing and causing vulnerabilities.

So I have a couple of questions:

1) Is there set of policies you suggest we use?

plug :put_secure_browser_headers, %{"Content-Security-Policy" => "what should go here?"}

2) If question 1 is answered, would could I create a patch to add some docs on potential fixes for this issue?

Thank you for your time and thank you for sobelow. This is very helpful and makes you think about things that pay off in the future. Along with credo, it is a must have lib in a lot of people's opinion. ❤️

[pdgonzalez872]

Seems this could be a bug? Because it seems Phoenix sets the policies here: https://github.com/phoenixframework/phoenix/blob/master/lib/phoenix/controller.ex#L1122-L1129. Maybe this is showing a false positive? If so, we should probably re-think the check itself?

[GriffinMB]

Hey, thanks for opening this issue!

The right Content Security Policy is heavily dependent on how you manage resources in your application. You can find examples of good CSPs here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

That said, the best policy would be plug :put_secure_browser_headers, %{"content-security-policy" => "default-src 'self'"}, which mitigates most typical XSS vectors. Fortunately, when it comes to CSP, just about any policy is better than none, and you won't decrease security over having none at all.

Seems this could be a bug? Because it seems Phoenix sets the policies here

Phoenix sets a handful of good security headers, but does not set the CSP since it's app specific!

If you'd like to add a good CSP example here that would be great: https://github.com/nccgroup/sobelow/blob/master/lib/sobelow/config/csp.ex#L15

Thanks again!

[pdgonzalez872]

@GriffinMB thanks for the reply and suggestion. Perfect, I added a PR to add the docs we discussed above.

Thanks again!