Project

General

Profile

Enhancement #602

Deploy Content Security Policy (CSP) and check other security headers

Added by Marc Dequènes about 2 years ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Category:
Service :: Web
Start date:
2017-09-30
Due date:
% Done:

30%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

We should have a look at this: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Full specification: https://www.w3.org/TR/CSP/


Related issues

Related to DuckCorp Infrastructure - Enhancement #571: Secure HTTP settingsResolved2017-06-25

Actions

History

#2

Updated by Marc Dequènes about 2 years ago

#3

Updated by Marc Dequènes about 2 years ago

  • % Done changed from 0 to 10

Tested on test.duckcorp.org and fixed a few things. Now applied on www.duckcorp.org.

The FF plugin had a false positive on script-src 'unsafe-inline'. I found the error reporting clearer on Chromium.

#4

Updated by Marc Dequènes almost 2 years ago

Content Security Policy: The page’s settings blocked the loading of a resource at https://irconweb.milkypond.org/#chan-1 (“form-action 'none'”).
#5

Updated by Marc Dequènes 11 months ago

  • Subject changed from Experiment with Content Security Policy (CSP) to Deploy Content Security Policy (CSP) and check other security headers
  • % Done changed from 10 to 30

It works, even if finding the right setting may need some trial and error.

I've already setup certain vhosts and certain applications may provide one (Nexcloud), so let's list the vhost needing one and fix them one by one.

I should also check the result of: https://securityheaders.com/

I updated the httpd role for more secure headers. I need to have a look at duplicate headers.

#6

Updated by Marc Dequènes 2 months ago

The Mozilla checker is interesting, especially for the CSP analysis. I'll make some fixes for our website soon and then try to add support for more vhosts.

#7

Updated by Marc Dequènes 2 months ago

Let's protect core services first:
  • ca.duckcorp.org
  • db.duckcorp.org
  • ddns.duckcorp.org
  • dico.duckcorp.org
  • doc.duckcorp.org
  • gossip.duckcorp.org
  • lists.duckcorp.org
  • myip.duckcorp.org
  • ntp.duckcorp.org
  • projects.duckcorp.org
  • radio.duckcorp.org
  • repository.duckcorp.org
  • shizuka-STAR.duckcorp.org
  • smokeping.duckcorp.org
  • sources.duckcorp.org
  • static.perso.duckcorp.org
  • stuff.milkypond.org (handled by NextCloud)
  • sup.duckcorp.org
  • users.duckcorp.org
  • vcs.duckcorp.org
  • vcs-git.duckcorp.org
  • vcs-git-viewer.duckcorp.org
  • webmail.duckcorp.org
  • wiki.duckcorp.org
  • www.duckcorp.org
  • www.milkypond.org (redirection)
Excluded vhosts:
  • perso.duckcorp.org: each user needs to adapt to its own need
  • photos-ng.duckcorp.org: experimental at the moment
#8

Updated by Marc Dequènes about 1 month ago

updated currently deployed CSP to use upgrade-insecure-requests

Also available in: Atom PDF