Content-Security-Policy + other headers (v9)

danSman · January 4, 2022, 8:48am

Heyho

I’m currently testing a bit of CSP and other headers. I don’t know every single thing about it, so I was hoping we can fill in the missing/wrong parts together and maybe one day we’ll find them in the documentation part for Nginx and Apache config or implemented directly in Seafile?!
I’ve seen the other posts, which are helpful, but also a little outdated.

I use nginx and I’m currently working on the location / part:

        add_header X-CSRFToken $cookie_sfcsrftoken;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header Permissions-Policy "accelerometer=(); ambient-light-sensor=(); autoplay=(); battery=(); camera=(); cross-origin-isolated=(); display-capture=(); document-domain=(); encrypted-media=(); execution-while-not-rendered=(); execution-while-out-of-viewport=(); fullscreen=(); geolocation=(); gyroscope=(); keyboard-map=(); magnetometer=(); microphone=(); midi=(); navigation-override=(); payment=(); picture-in-picture=(); publickey-credentials-get=(); screen-wake-lock=(); sync-xhr=(); usb=(); web-share=(); xr-spatial-tracking=(); clipboard-read=(); clipboard-write=(); gamepad=(); speaker-selection=(); conversion-measurement=(); focus-without-user-activation=(); hid=(); idle-detection=(); interest-cohort=(); serial=(); sync-script=(); trust-token-redemption=(); window-placement=(); vertical-scroll=();" always;
        add_header Referrer-Policy no-referrer;
        add_header Content-Security-Policy "default-src 'self'; script-src https://seafile.com blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' https://seafile.com blob: data:; style-src 'self' 'unsafe-inline'; require-trusted-types-for 'script'; object-src 'none'; font-src 'self' https://seafile.com; base-uri 'none' https://seafile.com; frame-ancestors 'none' https://seafile.com; form-action 'self' https://seafile.com; block-all-mixed-content;" always;

This works so far but I haven’t tried videos yet.

You can test your site there:

Change the domain seafile.com in the link to your own or paste your domain in the box

shoeper · January 4, 2022, 11:00am

is deprecated. See Cross Site Scripting Prevention - OWASP Cheat Sheet Series

danSman · January 4, 2022, 9:12pm

Thanks

Should we leave it like this:

#       add_header X-XSS-Protection "1; mode=block"; # Use it if you mainly use older browsers. https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#x-xss-protection-header
        add_header X-XSS-Protection "0";

https://observatory.mozilla.org/ and https://securityheaders.com/ still recommend it for older browsers.