Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup Content Security Policy header #395

Closed
mtracz opened this issue Feb 14, 2024 · 0 comments · Fixed by #412
Closed

Setup Content Security Policy header #395

mtracz opened this issue Feb 14, 2024 · 0 comments · Fixed by #412
Labels
environment deployment, testing and other devops stuff security security related stuff

Comments

@mtracz
Copy link
Member

mtracz commented Feb 14, 2024

We should implement CSP header.

Actually https://observatory.mozilla.org/analyze/toby.blumilk.pl
shows 75/100 score because of that.

I think we can set it in docker compose label as Traefik header middleware or via meta tag.
Rules below should be validated to prevent blocking img-src or font-src.
e.g.

traefik.http.middlewares.csp-header.headers.contentSecurityPolicy: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; frame-src 'self'; object-src 'none'; require-trusted-types-for 'script';"

# or

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; frame-src 'self'; object-src 'none'; require-trusted-types-for 'script';">

Then add this middleware csp-header@docker to traefik.http.routers.toby-prod-app.middlewares.

https://infosec.mozilla.org/guidelines/web_security#content-security-policy
https://csp-evaluator.withgoogle.com/
@mtracz mtracz added environment deployment, testing and other devops stuff security security related stuff labels Feb 14, 2024
kamilpiech97 added a commit that referenced this issue Mar 26, 2024
@kamilpiech97
#395 - added csp header
29a4a13
kamilpiech97 added a commit that referenced this issue Mar 26, 2024
@kamilpiech97
#395 - fix
1a79c82
kamilpiech97 added a commit that referenced this issue Jul 31, 2024
@kamilpiech97
Merge branch 'refs/heads/main' into #395-csp-header
606aa0b
kamilpiech97 added a commit that referenced this issue Jul 31, 2024
@kamilpiech97
#395 - fix
d340fd5
kamilpiech97 added a commit that referenced this issue Jul 31, 2024
@kamilpiech97
#395 - fix 2
08b8607
@kamilpiech97 kamilpiech97 mentioned this issue Jul 31, 2024
Merged
kamilpiech97 added a commit that referenced this issue Jul 31, 2024
@kamilpiech97
#395 - CSP header (#412)
874b110 
* #395 - added csp header

* #395 - fix

* - updated csp

* #395 - fix

* #395 - fix 2
kamilpiech97 added a commit that referenced this issue Jul 31, 2024
@kamilpiech97
#395 - fix: updated if statement for csp header
2f0a631
kamilpiech97 added a commit that referenced this issue Jul 31, 2024
@kamilpiech97
#395 - updated if statement for csp header (#477)
73b6266 
#395 - fix: updated if statement for csp header
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
environment deployment, testing and other devops stuff security security related stuff
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#395 - CSP header blumilksoftware/toby
1 participant
@mtracz