| CSP for public folders |
|
Hi,
I've enabled CSP and do some site checks. I get warnings that for css, js and images no CSP rules are defined. As they are in the public folder, the CI rules do not apply (?) when accessed directly via a url - that is what the site test detects. I've tried adding additional CSP rules in the htacess, but that leads to problems. e.g. no nounce can be added there. can this issue be resolved or should one just ignore the warnings? thanks for help (or maybe a link to the solution that I overview) thomas
Read https://codeigniter4.github.io/CodeIgnit...ity-policy
and you need to configure CSP for your site. (03-25-2023, 03:31 AM)kenjis Wrote: Read https://codeigniter4.github.io/CodeIgnit...ity-policy thanks. for my site, it works fine. The csp header is set as planned. when I type an url to an image www.mysite.com/nice-image.jpg the image is shown, no codeigniter is involved (?) and there is no csp directive in the network tab of the developer tools. same for the css files. this is being detected by the security crawl. so - if I understood that right, a CI configuration does not help? (03-25-2023, 03:44 AM)wine-fine Wrote: when I type an url to an image www.mysite.com/nice-image.jpg Yes, if you navigate to www.mysite.com/nice-image.jpg, you will get the file. Your web server will serve the file. CI4 has nothing to do with. What's your problem? (03-25-2023, 04:00 AM)kenjis Wrote:(03-25-2023, 03:44 AM)wine-fine Wrote: when I type an url to an image www.mysite.com/nice-image.jpg that no csp header is set for files accessed in the public folder. I get a security warning on that and I ask if that is a threat or a bug in the check program. If the question is stupid: I'm just running my shop business made with CI, not a coding scientist.
Can you show the exact warning you get?
What checker do you use? (03-25-2023, 05:04 AM)kenjis Wrote: Can you show the exact warning you get? checker is screaming frog warning is «missing CSP header» for e.g. /css/main.css OWASP ZAP checker does not warn checkers warning is one side. the main concern: does anybody can do things to files or with files or add files in the public folder by bypassing csp rules that are set for the rest of the site when running via CI? this could be prevented by setting htaccess CSP rules but that causes issues with CI CSP rules set via the config file. thanks so far.
As far as I know, the warning does not make sense.
Because if you get ./css/main.css (when it is surely a CSS file), it does not load any more contents. It is not a web page. Quote:By injecting the Content-Security-Policy (CSP) headers from the server, the browser is aware and capable of protecting the user from dynamic calls that will load content into the page currently being visited. (03-25-2023, 05:18 AM)wine-fine Wrote: the main concern: does anybody can do things to files or with files or add files in the public folder by bypassing csp rules that are set for the rest of the site when running via CI? For example, if your site has functionality to upload files, and it uploads files under the public folder, an attacker can upload files in the public folder. CSP just prevents mainly XSS attacks. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
