View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|12569||Feature requests||[All Projects] Security||public||2017-08-04 12:36||2018-03-14 15:57|
|Target Version||Fixed in Version|
|Summary||12569: Content-Security-Policy (CSP) HTTP response header absent|
See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP . This header can potentially disarm a range of client-side attacks.
A manual nginx setting
|Tags||No tags attached.|
I don't currently see how the average user would be able to handle that.
I don't see an easy way to implement that right now. So what do you suggest?
It is indeed a good practice to return a Content-Security-Policy header as it prevents different types of XSS attacks.
IMHO you have two way of implementing this:
Here is what we use on our server:
Here is what it means:
(The last one could be made less strict if people need to include images from other domains.)
Allowing inline scripts and eval is not very secure but disallowing them breaks some parts of LimeSurvey :/
It's also a good idea to define the following headers:
|2017-10-06 16:24||c_schmitz||Assigned To||=> c_schmitz|
|2017-10-06 16:24||c_schmitz||Status||new => feedback|
|2017-10-06 16:24||c_schmitz||Note Added: 44548|
|2018-02-15 12:18||c_schmitz||Project||Bug reports => Feature requests|
|2018-03-14 15:57||Rudloff||Note Added: 47041|