OWASP - User contributions [en]

Content Security Policy Cheat Sheet

2015-04-04T12:38:03Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''

Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

<nowiki>For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe

# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking

# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,

# to disable content-type sniffing on some browsers.

# https://www.owasp.org/index.php/List_of_useful_HTTP_headers

# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx

# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx

# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.

# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for

# this particular website if it was disabled by the user.

# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),

# you can tell the browser that it can only download content from the domains you explicitly allow

# http://www.html5rocks.com/en/tutorials/security/content-security-policy/

# https://www.owasp.org/index.php/Content_Security_Policy

# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'

# directives for css and js(if you have inline css or js, you will need to keep it too).

# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;</nowiki>

'''Django'''

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

== INSTALLED_APPS = (
...
'security',
...
)
==

Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:

== MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
==

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:36:22Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''

Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

<nowiki>For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;</nowiki>

'''Django'''

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

== INSTALLED_APPS = (
...
'security',
...
)
==

Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:

== MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
==

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:34:23Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''

Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

<nowiki>For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;</nowiki>

'''===Django'''===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:32:58Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''

Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

<nowiki>For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;
</nowiki>

<nowiki># This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";</nowiki>

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

'''===Django'''===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:30:16Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''

Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

For nginx, it is required to edit the nginx.conf file.

[[# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options]]

add_header X-Frame-Options SAMEORIGIN;

[[# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;]]

[[# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";]]

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

'''===Django'''===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:29:22Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''

Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

'''===Django'''===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:26:53Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''

Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]
}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

'''===Django'''===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:26:25Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chromes'''
Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]
}

'''Apache'''

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.

An example:

<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>

'''nginx'''

For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

'''===Django'''===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:23:29Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''===Google Chromes==='''
Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]
}

'''===Apache'''===

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''===WordPress'''===

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.
An example:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>
nginx
For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

'''===Django'''===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:18:36Z

Denis Vinicius de Mello: /* CSP Cheat Sheet - Guide for main technologies */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

'''Google Chrome'''
Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.

{
''// Required''
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

''// Recommended''
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

''// Pick one (or none)''
"browser_action": {...},
"page_action": {...},

''// Optional''
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]
}

'''Apache'''
It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

'''WordPress'''

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.
An example:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>
nginx
For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

'''Django'''

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:14:37Z

Denis Vinicius de Mello:

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''

= Main Reference =

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

= CSP Cheat Sheet - Guide for main technologies =

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
See below the details.

Google Chrome
Google Chrome based web applications and theme uses a manifest file named manifest.json.
There is a section in the manifest file where the developer can declare the CSP directives.
For further details, please refer to Content Security Police for Google Chrome.
{
// Required
"manifest_version": 2,
"name": "My Extension",
"version": "versionString",

// Recommended
"default_locale": "en",
"description": "A plain text description",
"icons": {...},

// Pick one (or none)
"browser_action": {...},
"page_action": {...},

// Optional
"author": ...,
"automation": ...,
"background": {
// Recommended
"persistent": false
},
"background_page": ...,
"chrome_settings_overrides": {...},
"chrome_ui_overrides": {
"bookmarks_ui": {
"remove_bookmark_shortcut": true,
"remove_button": true
}
},
"chrome_url_overrides": {...},
"commands": ...,
"content_pack": ...,
"content_scripts": [{...}],
"content_security_policy": "policyString",
"converted_from_user_script": ...,
"current_locale": ...,
"devtools_page": ...,
"externally_connectable": {
"matches": ["*://*.example.com/*"]
},
"file_browser_handlers": [...],
"homepage_url": "http://path/to/homepage",
"import": ...,
"incognito": "spanning or split",
"input_components": ...,
"key": "publicKey",
"minimum_chrome_version": "versionString",
"nacl_modules": [...],
"oauth2": ...,
"offline_enabled": true,
"omnibox": {
"keyword": "aString"
},
"optional_permissions": ...,
"options_page": "aFile.html",
"options_ui": ...,
"page_actions": ...,
"permissions": [...],
"platforms": ...,
"plugins": [...],
"requirements": {...},
"sandbox": [...],
"script_badge": ...,
"short_name": "Short Name",
"signature": ...,
"spellcheck": ...,
"storage": {
"managed_schema": "schema.json"
},
"system_indicator": ...,
"tts_engine": ...,
"update_url": "http://path/to/updateInfo.xml",
"web_accessible_resources": [...]
}
Apache
It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"
WordPress
Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
A workaround can be the creation or modification of the file htaccess under wp-admin directory.
An example:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self';
img-src 'self' data: http: https: *.gravatar.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
</IfModule>
nginx
For nginx, it is required to edit the nginx.conf file.

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {
listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

Django
Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
The installation of this model can be done through from Python packages repository:
pip install django-security
Also, the the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.ContentSecurityPolicyMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

Content Security Policy Cheat Sheet

2015-04-04T12:09:35Z

Denis Vinicius de Mello: /* DRAFT CHEAT SHEET - WORK IN PROGRESS */

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

= Introduction =

Introduction to CSP here.

= 80% Solution Policy =

This allows inline javascript and styles while ensuring flash and mixed content can't happen.

default-src 'self'; font-src data: 'self'; img-src data: https:
'self'; media-src *; object-src 'none'; script-src 'self'
'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri ???

[todo] adding eval
[todo] adding a CDN, for example
[todo] Add instructions for google analytics/translation

= Configurations =

[todo] add context around these examples and where they would go in a
config file.

== Apache ==

Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set Strict-Transport-Security "max-age=631138519"
Header unset Content-Security-Policy
Header add Content-Security-Policy-Report-Only <whatever the policy ends up being>

== nginx ==

add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=631138519";
add_header Content-Security-Policy-Report-Only <whatever the policy
ends up being>

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]

User:Denis Vinicius de Mello

2014-09-22T17:47:17Z

Denis Vinicius de Mello:

• A multi-skilled solution/technology architect, security expert accomplished 10+ years leading the design, development and implementation of high-performance technology and security solutions. Plus, several areas of Information Security, Project Management, Governance and Cloud Computing.
• Proven consulting, leadership and ability to bring the benefits of IT to solve business issues while delivering projects, applications and infrastructure to large corporations. Contributed in successful projects, team leadership and presentation skills at executive management level.
• Solid experience in analyzing, documenting customer requirements and providing technology planning, strategy, direction and design choices within solutions used to meet the business requirements.
• Infrastructure knowledge concentrated around next generation data center, Infrastructure as a Service (IaaS), Platform as a Service (Paas)
• Complete software development lifecycle experience on multiple projects utilizing waterfall and Agile methodologies.

Technical Skills:
- SalesForce.com Administration and Development (triggers, classes);
- SOA, Webservices and Cloud Solutions;
- TCP Protocol and OSI Model;
- Network Topology;
- Linux/Windows Penetration Tester and Management (DHCP, LDAP, DNS.)
- DBMS solutions;
- Debugging Tools, Reverse Engineering and Malware's behavior;
- Windows Server Platform and Linux 2.6 kernel knowledge ;
- Security hacking: stack and buffer overflow and analysis in C (starting Java and Python), SQL Injection, XSS and shellcode,
- Security Forensic Analysis knowledge;
- VMware vSphere;

Business Skills:
- Project and IT Management;
- Process Mapping/BPM;
- IT Strategy;
- Pre-sales
- Workshops and Education;
- Team Leadership.
- Business and Technical Writer;
- IT and Security Evangelist.
- SDLC and Agile

Content Security Policy Cheat Sheet

2014-09-22T17:44:27Z

Denis Vinicius de Mello:

= DRAFT CHEAT SHEET - WORK IN PROGRESS =
= Introduction =

Introduction to CSP here.

= 80% Solution Policy =

This allows inline javascript and styles while ensuring flash and mixed content can't happen.

default-src 'self'; font-src data: 'self'; img-src data: https:
'self'; media-src *; object-src 'none'; script-src 'self'
'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri ???

[todo] adding eval
[todo] adding a CDN, for example
[todo] Add instructions for google analytics/translation

= Configurations =

[todo] add context around these examples and where they would go in a
config file.

== Apache ==

Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set Strict-Transport-Security "max-age=631138519"
Header unset Content-Security-Policy
Header add Content-Security-Policy-Report-Only <whatever the policy ends up being>

== nginx ==

add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=631138519";
add_header Content-Security-Policy-Report-Only <whatever the policy
ends up being>

= Authors and Primary Editors =

Neil Mattatall - neil[at]owasp.org 
Denis Mello - ddtaxe

= Other Cheatsheets =
{{Cheatsheet_Navigation}}

[[Category:Cheatsheets]]