Explore content security policies and determine a good default configuration for WSUWP sites.

[jeremyfelt]

Reading:

• https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
• https://httpsecurityreport.com/best_practice.html#contentSecurityPolicy
• http://githubengineering.com/githubs-csp-journey/

Use the always parameter when appropriate. http://nginx.org/en/docs/http/ngx_http_headers_module.html

[jeremyfelt]

Added an initial CSP to only wsu.edu today:

add_header Content-Security-Policy-Report-Only "default-src https://wsu.edu https://*.wsu.edu; script-src 'unsafe-inline' https://wsu.edu https://*.wsu.edu https://use.typekit.net https://ajax.googleapis.com https://www.google-analytics.com https://www.googletagmanager.com; style-src 'unsafe-inline' https://wsu.edu https://*.wsu.edu https://fonts.googleapis.com; img-src *; font-src data: https://wsu.edu https://*.wsu.edu https://fonts.gstatic.com https://use.typekit.net; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; report-uri https://wsu.report-uri.io/r/default/csp/reportonly";

I have reporting setup through report-uri.io, so we'll get some info on this and see what's missing.