search

neos / neos-development-collection

The unified repository containing the Neos core packages, used for Neos development.
https://www.neos.io/
GNU General Public License v3.0
259 stars 221 forks source link

FEATURE: Content-Security-Policy-Header #5177

Open t-heuser opened 2 weeks ago

t-heuser commented 2 weeks ago

Is there an existing issue for this topic?

Description

I'd love to see the Content-Security-Policy-Header (CSP) to be implemented in the NEOS core for backend and frontend.

It would make NEOS projects more secure per default, it could mitigate XSS-attacks for example.

Possible Solution

There is already an existing package for NEOS which adds CSP, but it's very old and not working anymore. But I guess it will be very useful for some inspiration.

I tried to repair the package by myself but they were issues with nonces and cache, like others described in this slack thread.

bwaidelich commented 2 weeks ago

Just one note (as mentioned before): Whatever the implementation is, it should not be based on Fusion in my opinion because that bakes the CSP rules into the content cache (which in turn means that caches have to be flushed whenever they change – unless we manage to put them into some dedicated cache segment)