How To Fix a Missing Content-Security-Policy on a Website

Kent Ickler //

Content-Security-Policy-What-What?

Content-Security-Policy is a security header that can (and should) be included on communication from your website’s server to a client. When a user goes to your website, headers are used for the client and server to exchange information about the browsing session. This is typically all done in the background unbeknownst to the user. Some of those headers can change the user experience, and some, such as the Content-Security-Policy affect how the web-browser will handle loading certain resources (like CSS files, javascript, images, etc) on the web page.

Content-Security-Policy tells the web-browser what resource locations are trusted by the web-server and is okay to load. If a resource from an untrusted location is added to the webpage by a MiTM or in dynamic code, the browser will know that the resource isn’t trusted and will fail to process that resource.

Check if you have Content-Security-Policies already enabled

If you haven’t heard of these headers before, you probably don’t have them enabled. They aren’t automatic. A quick way to check is to go to www.securityheaders.io and do a scan of your website. You can also check in FireFox’s Developer Console.

Identifying Your Trusted Sources

In our case, we needed to identify trusted resource sources. This was pretty easy to do with “Developer Mode” in FireFox. We loaded our web page, set the Content-Security-Policy, and saw how many errors the console in the Developer Panel created.  Each error was a violation of our Content-Security-Policy. We used that information to include additional sources in our policy until all our content loaded appropriately.

Consult with your web-developers as they may be able to provide you a list of all the source locations that should be trusted.

Create and Configure the Content-Security-Policy in Apache

The header we need to add will be added in the httpd.conf file (alternatively, apache.conf, etc.).

In httpd.conf, find the section for your VirtualHost.

Next, find your <IfModule headers_module> section. If it doesn’t exist, you will need to create it and add our specific headers.

<VirtualServer>

~Bits of important stuff here~

    <IfModule headers_module>

    RequestHeader set X-HTTPS 1

Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' www.blackhillsinfosec.com fonts.googleapis.com;”

</IfModule>

~more bits of important stuff~

</VirtualServer>

Restart Apache

Sudo service apache restart

Test that change!

Wow, looks like we still have some sources we need trust.  Note the sections highlighted

Update that Header Set with a Few More Sources

Header set Content-Security-Policy “default-src ‘self’ ‘unsafe-inline’ www.blackhillsinfosec.com fonts.googleapis.com fonts.static.com www.google-analytics.com;”

Don’t forget to restart Apache after your change.

Soon, you’ll have your page configured properly with Content-Security-Policies and trusted sources. Note the resource errors in the FireFox developer’s console is now clear after refreshing.

Header Set Content-Security-Policy

Scott Helme @Scott_Helme has done a significant amount of research and helped pave the way for web-devs to fully implement Content-Security-Policies. Here is some great content that Scott has put together to assist in the proper implementation of Content-Security-Policies.

Content Security Policy Introduction – Link: https://scotthelme.co.uk/content-security-policy-an-introduction/

Content Security Policy Cheat Sheet – Link: https://scotthelme.co.uk/csp-cheat-sheet/

Soon: Configuring Referral-Policy!



Want to learn more mad skills from the person who wrote this blog?

Check out these classes from Kent and Jordan:

Applied Purple Teaming

Defending the Enterprise

Available live/virtual and on-demand!