Project

General

Profile

Actions
Copy link

Enhancement #602

open

Deploy Content Security Policy (CSP) and check other security headers

Added by Marc Dequènes over 6 years ago. Updated over 4 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Marc Dequènes
Category:
Service :: Web
Start date:
2017-09-30
Due date:
% Done:

30%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

We should have a look at this: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Full specification: https://www.w3.org/TR/CSP/

Related issues 1 (0 open1 closed)

Related to DuckCorp Infrastructure - Enhancement #571: Secure HTTP settingsResolvedMarc Dequènes2017-06-25

Actions
Actions
Copy link
 #2

Updated by Marc Dequènes over 6 years ago

Actions
Copy link
 #3

Updated by Marc Dequènes over 6 years ago

  • % Done changed from 0 to 10

Tested on test.duckcorp.org and fixed a few things. Now applied on www.duckcorp.org.

The FF plugin had a false positive on script-src 'unsafe-inline'. I found the error reporting clearer on Chromium.

Actions
Copy link
 #4

Updated by Marc Dequènes over 6 years ago 

Content Security Policy: The page’s settings blocked the loading of a resource at https://irconweb.milkypond.org/#chan-1 (“form-action 'none'”).
Actions
Copy link
 #5

Updated by Marc Dequènes over 5 years ago

  • Subject changed from Experiment with Content Security Policy (CSP) to Deploy Content Security Policy (CSP) and check other security headers
  • % Done changed from 10 to 30

It works, even if finding the right setting may need some trial and error.

I've already setup certain vhosts and certain applications may provide one (Nexcloud), so let's list the vhost needing one and fix them one by one.

I should also check the result of: https://securityheaders.com/

I updated the httpd role for more secure headers. I need to have a look at duplicate headers.

Actions
Copy link
 #6

Updated by Marc Dequènes over 4 years ago

The Mozilla checker is interesting, especially for the CSP analysis. I'll make some fixes for our website soon and then try to add support for more vhosts.

Actions
Copy link
 #7

Updated by Marc Dequènes over 4 years ago

Let's protect core services first:
  • ca.duckcorp.org
  • db.duckcorp.org
  • ddns.duckcorp.org
  • dico.duckcorp.org
  • doc.duckcorp.org
  • gossip.duckcorp.org
  • lists.duckcorp.org
  • myip.duckcorp.org
  • ntp.duckcorp.org
  • projects.duckcorp.org
  • radio.duckcorp.org
  • repository.duckcorp.org
  • shizuka-STAR.duckcorp.org
  • smokeping.duckcorp.org
  • sources.duckcorp.org
  • static.perso.duckcorp.org
  • stuff.milkypond.org (handled by NextCloud)
  • sup.duckcorp.org
  • users.duckcorp.org
  • vcs.duckcorp.org
  • vcs-git.duckcorp.org
  • vcs-git-viewer.duckcorp.org
  • webmail.duckcorp.org
  • wiki.duckcorp.org
  • www.duckcorp.org
  • www.milkypond.org (redirection)
Excluded vhosts:
  • perso.duckcorp.org: each user needs to adapt to its own need
  • photos-ng.duckcorp.org: experimental at the moment
Actions
Copy link
 #8

Updated by Marc Dequènes over 4 years ago

updated currently deployed CSP to use upgrade-insecure-requests

Actions
Copy link

Also available in: Atom PDF