How To Fix a Missing Content-Security-Policy on a Website
Kent Ickler //
Content-Security-Policy tells the web-browser what resource locations are trusted by the web-server and is okay to load. If a resource from an untrusted location is added to the webpage by a MiTM or in dynamic code, the browser will know that the resource isn’t trusted and will fail to process that resource.
Check if you have Content-Security-Policies already enabled
If you haven’t heard of these headers before, you probably don’t have them enabled. They aren’t automatic. A quick way to check is to go to www.securityheaders.io and do a scan of your website. You can also check in FireFox’s Developer Console.
Identifying Your Trusted Sources
In our case, we needed to identify trusted resource sources. This was pretty easy to do with “Developer Mode” in FireFox. We loaded our web page, set the Content-Security-Policy, and saw how many errors the console in the Developer Panel created. Each error was a violation of our Content-Security-Policy. We used that information to include additional sources in our policy until all our content loaded appropriately.
Consult with your web-developers as they may be able to provide you a list of all the source locations that should be trusted.
Create and Configure the Content-Security-Policy in Apache
The header we need to add will be added in the httpd.conf file (alternatively, apache.conf, etc.).
In httpd.conf, find the section for your VirtualHost.
Next, find your <IfModule headers_module> section. If it doesn’t exist, you will need to create it and add our specific headers.
<VirtualServer> ~Bits of important stuff here~ <IfModule headers_module> RequestHeader set X-HTTPS 1 Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' www.blackhillsinfosec.com fonts.googleapis.com;” </IfModule> ~more bits of important stuff~ </VirtualServer>
Sudo service apache restart
Test that change!
Wow, looks like we still have some sources we need trust. Note the sections highlighted
Update that Header Set with a Few More Sources
Header set Content-Security-Policy “default-src ‘self’ ‘unsafe-inline’ www.blackhillsinfosec.com fonts.googleapis.com fonts.static.com www.google-analytics.com;”
Don’t forget to restart Apache after your change.
Soon, you’ll have your page configured properly with Content-Security-Policies and trusted sources. Note the resource errors in the FireFox developer’s console is now clear after refreshing.
Header Set Content-Security-Policy
Scott Helme @Scott_Helme has done a significant amount of research and helped pave the way for web-devs to fully implement Content-Security-Policies. Here is some great content that Scott has put together to assist in the proper implementation of Content-Security-Policies.
Content Security Policy Introduction – Link: https://scotthelme.co.uk/content-security-policy-an-introduction/
Content Security Policy Cheat Sheet – Link: https://scotthelme.co.uk/csp-cheat-sheet/
Soon: Configuring Referral-Policy!
Want to learn more mad skills from the person who wrote this blog?
Check out these classes from Kent and Jordan:
Available live/virtual and on-demand!
July 24, 2017 @ 11:22 am
This is something that I have to deal with quite a bit, and this is a great intro. I’d like to point out that “Header set Content-Security-Policy” can be used in a Directory directive.
I like to use a very strict policy at the top and apply less strict policies in the directories that need it. I usually end up with just 1 or 2 apps that require external sources, so this keeps everything else a little tighter.