Skip to main content
Topic: Nginx content security policy (Read 99 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Nginx content security policy

Security is a forever concern. After much research, many software tweaks and upgrades, most items are as secure as one can reasonably make. With one exception, that is. I've done substantial reading on the matter, yet grasping the use of the CSP is evasive. What would you recommend for use with Elk? 

Re: Nginx content security policy

Reply #1
There are a few X headers set by ElkArte for you, not all browsers support these but they are set

- X-Frame-Options SAMEORIGIN (cont render in an iframe and help avoid clickjacking)
- X-XSS-Protection: 1 (enables the broswers Cross-site scripting (XSS) filter)
- X-Content-Type-Options: nosniff (disable content-type sniffing)


Now onto the Content-Security-Policy (CSP) header.  Unfortunately I think what you would have to add would be so weak it may be of no use at all.  :(

We have quite a lot of inline JS and some css that we add to the page, so you would need to add the 'unsafe-inline' directive which "opens" probably the largest area that a CSP header would block.   I think there may be an couple of old javascript eval's in use as well, so you also have to add ''unsafe-eval' so .. script-src 'self' 'unsafe-inline' 'unsafe-eval'; and style-src 'self' 'unsafe-inline';

You would have to use an image proxy for all attachments and set things up so avatars are copied local, and still then allow gravatar and probably a few other sources.  img-src 'self' https://ssl.google-analytics.com and all the other http(s) that load images and the like

If you use any CDN's you would have to allow them as well (jquery, google, etc) and any ad or analytics would also have to be allowed in the respective directives

Then there is media sources, so all those embeded video links, you need to allow the various sites that your allow, yourtube, vimeo etc etc so media-src  youtuve bla bla bla.

And if you use a theme that uses custom fonts or fontawesome icons then you have to allow those in as well, I think that would all be in the "font-src" directive

Thats just for starters ... you could probably use the browsers developer tools to see all the assets that are being loaded and from where to you "allow" them in your CSP but its already looking like Swiss cheese .. and we have not even considered addons.
Squish squish. squish, squish, squish.
Find a bug,
Make a wish.

 

Re: Nginx content security policy

Reply #2
Thanks spuds. Your outline is more informative than weeks worth of Googling! Sounds as though leave it alone is the reality.