Content Security Policy on the website

unioslo / nivlheim

A system for collecting key information from all your servers and presenting it through an easy-to-use web GUI with search and browse functions. The previous generation of this system is used in production at the University of Oslo, Norway.

GNU General Public License v3.0

9 stars 7 forks source link

Content Security Policy on the website #33

Closed oyvindhagberg closed 5 years ago

oyvindhagberg commented 6 years ago

https://scotthelme.co.uk/content-security-policy-an-introduction/ https://content-security-policy.com/ https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/ https://www.troyhunt.com/add-ons-extensions-and-csp-violations-playing-nice-with-content-security-policies/ https://report-uri.com/

Also implement:

[x] X-Frame-Options
[x] Subresource integrity hashes

Test with this:

oyvindhagberg commented 5 years ago

Integrity hashes should be put in place where the 3rd party libraries are actually downloaded, which is in the RPM building process. Create a sha256sum-file and add a command in nivlheim.spec that verifies the checksums.