I’m currently hardening my seafile server and use mozilla observatory as a benchmark. Unfortunately I’m only achieving a C+. Is anyone getting better results?
I use the CSP settings from @holantomas but those are deemed unsafe because of the use of “unsafe-inline” and ‘unsafe-eval’ in the script-src section. Is anyone aware of better/safer settings?
Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?
It’s a little bit longer you wrote, but i want again push this topic. I get B+ as best result in Mozilla Observatory.
Additionally I am getting minus points because “Anti-CSRF tokens set without using the SameSite flag”. I added the secure flag using nginx “proxy_cookie_path” to all cookies but unfortunately that doesn’t seem to be enough. Are there any ideas how to improve my score?
You als have to set the “SameSite” flag like its explained in the text of the scanner.
Here “SameSite=strict” is used, i did only add a “SameSite=Lax” to the headers - dont know if “strict” is break Seafile.
Edit: I think it’s a new criteria on the scanner. I haven’t changed anything on my webserver but I have gotten a lower grade.
I’m also very much interested in a better CSP. Are there any suggestions of somebody?
That’s funny cause. If you use my settings you will get better points, but it’s whole change. Theres inline scripts, style and source like base64 files. So if you block it over CSP, then some parts just stop working (PDF viewer for example). My settings just adding part which CSP validator say, they are missing.
For everyone:
Until seafile developers change inline styles, JS scripts and blob sources to something more safe, you have to have unsafe-inline. Ignoring this settings is just same as you have this in your settings and different are in points in validator.
in fact there is an error on my website with seafile when I add CSP add_header Content-Security-Policy "default-src 'self';" always;
or add_header Content-Security-Policy "default-src 'self';";
, seafile no longer appears.
I go back to C when seafile works again
Using that policy the login window disappears for me when visiting the website … this topic is mentioned over and over again over the years in the forum … but not viable config seems to exist