Check security server


#41

Don’t know if it’s help you. Chrome say you which directive tried to use (img-src for example)

add_header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.nohatech.se/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob:; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; child-src https://*.nohatech.se; object-src 'none'; frame-ancestors https://*.nohatech.se/; base-uri https://*.nohatech.se/ 'self'; media-src 'self';" always;

#42

Hello there,

I’m currently hardening my seafile server and use mozilla observatory as a benchmark. Unfortunately I’m only achieving a C+. Is anyone getting better results?
I use the CSP settings from @holantomas but those are deemed unsafe because of the use of “unsafe-inline” and ‘unsafe-eval’ in the script-src section. Is anyone aware of better/safer settings?
Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?


#43

It’s a little bit longer you wrote, but i want again push this topic. I get B+ as best result in Mozilla Observatory.

Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?

You als have to set the “SameSite” flag like its explained in the text of the scanner.

Here “SameSite=strict” is used, i did only add a “SameSite=Lax” to the headers - dont know if “strict” is break Seafile.

Edit: I think it’s a new criteria on the scanner. I haven’t changed anything on my webserver but I have gotten a lower grade.

I’m also very much interested in a better CSP. Are there any suggestions of somebody?


#44

That’s funny cause. If you use my settings you will get better points, but it’s whole change. Theres inline scripts, style and source like base64 files. So if you block it over CSP, then some parts just stop working (PDF viewer for example). My settings just adding part which CSP validator say, they are missing.

For everyone:
Until seafile developers change inline styles, JS scripts and blob sources to something more safe, you have to have unsafe-inline. Ignoring this settings is just same as you have this in your settings and different are in points in validator.