Use CSP to increase security

vexim / vexim2

Virtual Exim 2

Other

70 stars 47 forks source link

Use CSP to increase security #209

Closed Udera closed 7 years ago

Udera commented 8 years ago

Follow up of https://github.com/vexim/vexim2/pull/207

setting up a content security policy->http://www.html5rocks.com/en/tutorials/security/content-security-policy/?

Udera commented 8 years ago

This must be configured in the webserver (in the configuration) or in case of apache it can be done in a .htaccess:

<IfModule mod_env.c>
  Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
</IfModule>

Do we put this in the documentation or do we want to ship a .htaccess?

rimas-kudelis commented 7 years ago

I guess you could use header() as usual.

I wonder about the actual use for this header though, and even more about its actual looks. Wouldn't Content-Security-Policy default-src 'self' be basically equivalent to your much longer suggestion?

Udera commented 7 years ago

That's indeed much easier. I created a PR.

Udera commented 7 years ago

Some inline-code needs to be removed before, I won't do this for version 2.3.1, perhaps later version or even waiting for vexim3.