|
|
| (25 intermediate revisions by 5 users not shown) |
| Line 1: |
Line 1: |
| − | Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and more importantly to reduce the harm caused by content injection attacks.
| + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | = Introduction =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | Content Security Policy (CSP) is an important standard that is aimed to prevent attacks such as cross-site scripting (XSS) and '''more importantly to reduce the harm caused by content injection attacks.'''
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html Content Security Policy Cheat Sheet] to see the latest version of the cheat sheet. |
| − | | |
| − | = Main Reference =
| |
| − | | |
| − | The most recent version of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/
| |
| − | | |
| − | = CSP Cheat Sheet - Guide for main technologies =
| |
| − | | |
| − | This section summarizes the implementation and/or support for CSP in different technologies (either acting as Client or Server).
| |
| − | See below the details.
| |
| − | | |
| − | Google Chrome
| |
| − | Google Chrome based web applications and theme uses a manifest file named manifest.json.
| |
| − | There is a section in the manifest file where the developer can declare the CSP directives.
| |
| − | For further details, please refer to Content Security Police for Google Chrome.
| |
| − | {
| |
| − | // Required
| |
| − | "manifest_version": 2,
| |
| − | "name": "My Extension",
| |
| − | "version": "versionString",
| |
| − | | |
| − | // Recommended
| |
| − | "default_locale": "en",
| |
| − | "description": "A plain text description",
| |
| − | "icons": {...},
| |
| − | | |
| − | // Pick one (or none)
| |
| − | "browser_action": {...},
| |
| − | "page_action": {...},
| |
| − | | |
| − | // Optional
| |
| − | "author": ...,
| |
| − | "automation": ...,
| |
| − | "background": {
| |
| − | // Recommended
| |
| − | "persistent": false
| |
| − | },
| |
| − | "background_page": ...,
| |
| − | "chrome_settings_overrides": {...},
| |
| − | "chrome_ui_overrides": {
| |
| − | "bookmarks_ui": {
| |
| − | "remove_bookmark_shortcut": true,
| |
| − | "remove_button": true
| |
| − | }
| |
| − | },
| |
| − | "chrome_url_overrides": {...},
| |
| − | "commands": ...,
| |
| − | "content_pack": ...,
| |
| − | "content_scripts": [{...}],
| |
| − | "content_security_policy": "policyString",
| |
| − | "converted_from_user_script": ...,
| |
| − | "current_locale": ...,
| |
| − | "devtools_page": ...,
| |
| − | "externally_connectable": {
| |
| − | "matches": ["*://*.example.com/*"]
| |
| − | },
| |
| − | "file_browser_handlers": [...],
| |
| − | "homepage_url": "http://path/to/homepage",
| |
| − | "import": ...,
| |
| − | "incognito": "spanning or split",
| |
| − | "input_components": ...,
| |
| − | "key": "publicKey",
| |
| − | "minimum_chrome_version": "versionString",
| |
| − | "nacl_modules": [...],
| |
| − | "oauth2": ...,
| |
| − | "offline_enabled": true,
| |
| − | "omnibox": {
| |
| − | "keyword": "aString"
| |
| − | },
| |
| − | "optional_permissions": ...,
| |
| − | "options_page": "aFile.html",
| |
| − | "options_ui": ...,
| |
| − | "page_actions": ...,
| |
| − | "permissions": [...],
| |
| − | "platforms": ...,
| |
| − | "plugins": [...],
| |
| − | "requirements": {...},
| |
| − | "sandbox": [...],
| |
| − | "script_badge": ...,
| |
| − | "short_name": "Short Name",
| |
| − | "signature": ...,
| |
| − | "spellcheck": ...,
| |
| − | "storage": {
| |
| − | "managed_schema": "schema.json"
| |
| − | },
| |
| − | "system_indicator": ...,
| |
| − | "tts_engine": ...,
| |
| − | "update_url": "http://path/to/updateInfo.xml",
| |
| − | "web_accessible_resources": [...]
| |
| − | }
| |
| − | Apache
| |
| − | It is required to add lines to the httpd.conf configuration file, or inside .htaccess files or virtual host sections.
| |
| − | Also, it is required to enable mod_headers, and after inserting the lines according to your specific needs, restart Apache.
| |
| − | The headers below are good examples to add in the files (change/modify it properly):
| |
| − | | |
| − | Header unset Content-Security-Policy
| |
| − | Header add Content-Security-Policy "default-src 'self'"
| |
| − | Header unset X-Content-Security-Policy
| |
| − | Header add X-Content-Security-Policy "default-src 'self'"
| |
| − | Header unset X-WebKit-CSP Header add X-WebKit-CSP "default-src 'self'"
| |
| − | WordPress
| |
| − | Most of the configuration can be done in Apache, however, Wordpress has a plugin that allows developers/administrator to set up their own custom policies. The plugin however is not update for 2 years. Use it carefully.
| |
| − | A workaround can be the creation or modification of the file htaccess under wp-admin directory.
| |
| − | An example:
| |
| − | <IfModule mod_headers.c>
| |
| − | Header set Content-Security-Policy "default-src 'self';
| |
| − | img-src 'self' data: http: https: *.gravatar.com;
| |
| − | script-src 'self' 'unsafe-inline' 'unsafe-eval';
| |
| − | style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com;
| |
| − | font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;"
| |
| − | </IfModule>
| |
| − | nginx
| |
| − | For nginx, it is required to edit the nginx.conf file.
| |
| − | | |
| − | # config to don't allow the browser to render the page inside an frame or iframe
| |
| − | # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
| |
| − | # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
| |
| − | add_header X-Frame-Options SAMEORIGIN;
| |
| − | | |
| − | # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
| |
| − | # to disable content-type sniffing on some browsers.
| |
| − | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
| |
| − | # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
| |
| − | # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
| |
| − | # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
| |
| − | add_header X-Content-Type-Options nosniff;
| |
| − | | |
| − | # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
| |
| − | # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
| |
| − | # this particular website if it was disabled by the user.
| |
| − | # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
| |
| − | add_header X-XSS-Protection "1; mode=block";
| |
| − | | |
| − | # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
| |
| − | # you can tell the browser that it can only download content from the domains you explicitly allow
| |
| − | # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
| |
| − | # https://www.owasp.org/index.php/Content_Security_Policy
| |
| − | # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
| |
| − | # directives for css and js(if you have inline css or js, you will need to keep it too).
| |
| − | # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
| |
| − | add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://example.com https://example1.com; style-src https://example.com; font-src https://example.com; frame-src https://example.com; object-src 'none'";
| |
| − |
| |
| − | server {
| |
| − | listen 443 ssl default deferred;
| |
| − | server_name .forgott.com;
| |
| − |
| |
| − | ssl_certificate the_path_of_your_certificate.crt;
| |
| − | ssl_certificate_key the_path_of_your_key.key;
| |
| − | | |
| − | Django
| |
| − | Django recently introduced a package with a number a collection of models, views and middlewares to aid secure Django based projects.
| |
| − | The installation of this model can be done through from Python packages repository:
| |
| − | pip install django-security
| |
| − | Also, the the latest development version, install from django-security repository on GitHub:
| |
| − | git clone https://github.com/sdelements/django-security.git
| |
| − | cd django-security
| |
| − | sudo python setup.py install
| |
| − | For each Djangon’s application, the settings.py file must be modified.
| |
| − | | |
| − | INSTALLED_APPS = (
| |
| − | ...
| |
| − | 'security',
| |
| − | ...
| |
| − | )
| |
| − | Middleware modules can be added to MIDDLEWARE_CLASSES list in settings file. Particularly, it is our interesting the ContentSecurityPolicyMiddleware. It sends Content Security Policy (CSP) header in HTTP response.:
| |
| − | MIDDLEWARE_CLASSES = (
| |
| − | ...
| |
| − | 'security.middleware.DoNotTrackMiddleware',
| |
| − | 'security.ContentSecurityPolicyMiddleware',
| |
| − | 'security.middleware.ContentNoSniff',
| |
| − | 'security.middleware.XssProtectMiddleware',
| |
| − | 'security.middleware.XFrameOptionsMiddleware',
| |
| − | )
| |
| − | | |
| − | | |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Neil Mattatall - neil[at]owasp.org<br/>
| |
| − | Denis Mello - ddtaxe
| |
| − | | |
| − | = Other Cheatsheets =
| |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
