Project

General

Profile

Enhancement #602

Deploy Content Security Policy (CSP) and check other security headers

Added by Marc Dequènes almost 2 years ago. Updated 8 months ago.

Status:
In Progress
Priority:
Normal
Category:
Service :: Web
Start date:
2017-09-30
Due date:
% Done:

30%

Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

We should have a look at this: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Full specification: https://www.w3.org/TR/CSP/


Related issues

Related to DuckCorp Infrastructure - Enhancement #571: Secure HTTP settings Resolved 2017-06-25

History

#2 Updated by Marc Dequènes almost 2 years ago

#3 Updated by Marc Dequènes almost 2 years ago

  • % Done changed from 0 to 10

Tested on test.duckcorp.org and fixed a few things. Now applied on www.duckcorp.org.

The FF plugin had a false positive on script-src 'unsafe-inline'. I found the error reporting clearer on Chromium.

#4 Updated by Marc Dequènes over 1 year ago

Content Security Policy: The page’s settings blocked the loading of a resource at https://irconweb.milkypond.org/#chan-1 (“form-action 'none'”).

#5 Updated by Marc Dequènes 8 months ago

  • Subject changed from Experiment with Content Security Policy (CSP) to Deploy Content Security Policy (CSP) and check other security headers
  • % Done changed from 10 to 30

It works, even if finding the right setting may need some trial and error.

I've already setup certain vhosts and certain applications may provide one (Nexcloud), so let's list the vhost needing one and fix them one by one.

I should also check the result of: https://securityheaders.com/

I updated the httpd role for more secure headers. I need to have a look at duplicate headers.

Also available in: Atom PDF