webapp and headers compliance.
thctlo last edited by
I’m setting up a new server with latest devellopment packages on a debian 10 server.
My goal is to keep the security levels at modern as possible.
i use this site to validate my settings on header security.
https://securityheaders.com/ and ssllabs.com for the ssl settings.
with all settings at A+ levels, the webapp doesnt open the/show the login part.
site shows up, but, no place to enter your login/pass…
im seeing the following. ( in webbrower console (F12))
server.fqdn/:21 :53 :56 (: the line nrs)
Refused to execute inline script because it violates the following
Content Security Policy directive: “script-src ‘self’”.
Either the ‘unsafe-inline’ keyword, a hash (‘sha256-UybDlKMXsBrbiJfasdDFff423wfwefg7zdOAwB+xTj9wCm8XBc=’),
or a nonce (‘nonce-…’) is required to enable inline execution.
Changing the code here im suspecting its the java script part to a .js file would be just a bit nicer ;-)
Just reporting it, i dont need a fix, im posting it here so everybody can make it just a bit more secure.
I’ll lower the security level a bit on the script-src part., so i did set: script-src ‘unsafe-inline’ for now.
I went from A+ to A… with the message. :
Content-Security-Policy This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive.
The current header security setting im using now in as default for the server, might be handy for someone, do note, its a base and has the focus on 1 server setup only.
Header set X-Content-Type-Options "nosniff" # options are deny, sameorigin, allow-from http(s)://www.domain.tld Header always append X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set X-Permitted-Cross-Domain-Policies "none" # Referrer-Policy # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ Header set Referrer-Policy "same-origin" # Permissions Policy # https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ Header set Permissions-Policy geolocation=(self) # Content-Security-Policy # https://scotthelme.co.uk/content-security-policy-an-introduction/ Header set X-Content-Security-Policy "default-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; script-src 'unsafe-inline'; connect-src 'self';" Header set Content-Security-Policy "default-src 'self'; img-src 'self'; style-src 'self'; font-src 'self'; script-src 'unsafe-inline'; connect-src 'self';" # script-src 'unsafe-inline' is set of you dont see the login/password line in webapp # You can mitigate most of the common Cross Site Scripting attack using HttpOnly # and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible # to steal or manipulate web application session and cookies, and it’s dangerous. Header edit Set-Cookie: ^(.*)$ $1;HttpOnly;Secure
thctlo last edited by
@thctlo i had to turn off CSP completly in order to make it work (for now).
i’ll have to dig deeper into this to see whats more needed.