Revision as of 12:23, 4 April 2015

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

Introduction

Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.

Main Reference

The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

CSP Cheat Sheet - Guide for main technologies

This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server). See below the details.

===Google Chromes=== Google Chrome based web applications and theme uses a manifest file named manifest.json. There is a section in the manifest file where the developer can declare the CSP directives. For further details, please refer to Content Security Police for Google Chrome.

{

 // Required
 "manifest_version": 2,
 "name": "My Extension",
 "version": "versionString",

 // Recommended
 "default_locale": "en",
 "description": "A plain text description",
 "icons": {...},

 // Pick one (or none)
 "browser_action": {...},
 "page_action": {...},

 // Optional
 "author": ...,
 "automation": ...,
 "background": {
   // Recommended
   "persistent": false
 },
 "background_page": ...,
 "chrome_settings_overrides": {...},
 "chrome_ui_overrides": {
   "bookmarks_ui": {
     "remove_bookmark_shortcut": true,
     "remove_button": true
   }
 },
 "chrome_url_overrides": {...},
 "commands": ...,
 "content_pack": ...,
 "content_scripts": [{...}],
 "content_security_policy": "policyString",
 "converted_from_user_script": ...,
 "current_locale": ...,
 "devtools_page": ...,
 "externally_connectable": {
   "matches": ["*://*.example.com/*"]
 },
 "file_browser_handlers": [...],
 "homepage_url": "http://path/to/homepage",
 "import": ...,
 "incognito": "spanning or split",
 "input_components": ...,
 "key": "publicKey",
 "minimum_chrome_version": "versionString",
 "nacl_modules": [...],
 "oauth2": ...,
 "offline_enabled": true,
 "omnibox": {
   "keyword": "aString"
 },
 "optional_permissions": ...,
 "options_page": "aFile.html",
 "options_ui": ...,
 "page_actions": ...,
 "permissions": [...],
 "platforms": ...,
 "plugins": [...],
 "requirements": {...},
 "sandbox": [...],
 "script_badge": ...,
 "short_name": "Short Name",
 "signature": ...,
 "spellcheck": ...,
 "storage": {
   "managed_schema": "schema.json"
 },
 "system_indicator": ...,
 "tts_engine": ...,
 "update_url": "http://path/to/updateInfo.xml",
 "web_accessible_resources": [...]

}

===Apache===

It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections. Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache. The headers below are good examples to add in the files (change/modify it properly):

Header unset Content-Security-Policy Header add Content-Security-Policy "default-src 'self'" Header unset X-Content-Security-Policy Header add X-Content-Security-Policy "default-src 'self'" Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"

===WordPress===

Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully. A workaround can be the creation or modification of the file htaccess under wp-admin directory. An example: <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;" </IfModule> nginx For nginx, it is required to edit the nginx.conf file.

1. config to don't allow the browser to render the page inside an frame or iframe
2. and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
3. if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

add_header X-Frame-Options SAMEORIGIN;

1. when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
2. to disable content-type sniffing on some browsers.
3. https://www.owasp.org/index.php/List_of_useful_HTTP_headers
4. currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
5. http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
6. 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020

add_header X-Content-Type-Options nosniff;

1. This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
2. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
3. this particular website if it was disabled by the user.
4. https://www.owasp.org/index.php/List_of_useful_HTTP_headers

add_header X-XSS-Protection "1; mode=block";

1. with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
2. you can tell the browser that it can only download content from the domains you explicitly allow
3. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
4. https://www.owasp.org/index.php/Content_Security_Policy
5. I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
6. directives for css and js(if you have inline css or js, you will need to keep it too).
7. more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";

server {

listen 443 ssl default deferred;
server_name .forgott.com;

ssl_certificate the_path_of_your_certificate.crt;
ssl_certificate_key the_path_of_your_key.key;

===Django===

Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects. The installation of this model can be done through from Python packages repository: pip install django-security Also, the the latest development version, install from django-security repository on GitHub: git clone https://github.com/sdelements/django-security.git cd django-security sudo python setup.py install For each Djangon’s application, the settings.py file must be modified.

INSTALLED_APPS = (

   ...
   'security',
   ...
   )

Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.: MIDDLEWARE_CLASSES = ( ... 'security.middleware.DoNotTrackMiddleware', 'security.ContentSecurityPolicyMiddleware', 'security.middleware.ContentNoSniff', 'security.middleware.XssProtectMiddleware', 'security.middleware.XFrameOptionsMiddleware', )

Authors and Primary Editors

Neil Mattatall - neil[at]owasp.org
Denis Mello - ddtaxe

Other Cheatsheets

OWASP Cheat Sheets Project Homepage

• OWASP Cheat Sheet Series