Content Security Policy (CSP)

August 1st, 2017

A while ago, I discovered Scott Helme‘s securityheaders.io. It’s a site that gives you an overview of the security headers for any given site. It gives you information about what’s enabled, what’s missing, and the specifics of each enabled header. Some are simple, a short line, and your site is more secure. However, if you don’t understand what you are doing, it’s easy to break elements.

First, a relatively simple one: X-Content-Type-Options. I have this set to “nosniff”. As far as I can tell, this only requires that you’ve set a MIME type to all style and script tags. So stylesheet files gets type="text/css", while script tags gets type="application/javascript" or type="text/javascript"  Although, the latter seem to possibly be deprecated.

 

IMPLEMENTING CSP

More time consuming, is CSP. I’m loading content from cloudflare.com, code.jquery.com, and several others. I’m still not entirely sure if I’ve actually understood it fully, but it does seem to work. We have script-src, img-src, font-src, and many others. These determine what content the rule applies to. "script-src 'self' *.example.com;" would allow script to be loaded from origin/same domain, as well as example.com, plus any subdomains, like sub.example.com.

So, it’s content type, followed by white-listed domains it can be loaded from. To end or begin next content type, semicolon. In the very start and end, quote signs.

This might vary at least slightly between different web servers. I’m currently running Apache.

To give an example, here’s mine at the time of writing (normally one line, broken up for readability):

Header set Content-Security-Policy

"script-src 'self' code.jquery.com *.gravatar.com *.cloudflare.com *.wordpress.com;
style-src 'self' *.cloudflare.com;
img-src 'self';"

From what I can see, WordPress uses inline scripting at least in the comment fields. This can be allowed with 'unsafe-inline', but I am uneasy about that one. This because it sounds like something that would increase the risk of XSS. Personally I’m looking for a better solution. As a temporary solution, I added a contact page (it’s not pretty, but does the job).

 

THE ROAD TO BULLETPROOF

Correct, that will never happen. There is no such thing. In the tech world anyway. Probably not in any other areas either. However, upcoming is IPv6, DNSSEC, DANE, Perfect Forward Secrecy, DNS CAA, and SNI. Some of these are pretty simple. IPv6 is to my current knowledge only a DNS record. I will however post about how these are implemented when I get to it. Will likely have to move to another hosting service to complete the process, so need to find out which one is better to use. DigitalOcean looks good, and is used by some very smart people security-wise. Azure/AWS does however seem like the kings in the industry, so if I might have a lot to gain by learning one of them. AWS is the current leader among the two, because of DNSSEC.

Will also fix the responsive-side of things. It works, but doesn’t look amazing.

More info:
https://content-security-policy.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy