How to override default CSP rule in Codeigniter 4 ? |
Dear Friends,
I am using Codeigniter 4 . I need to add my CSP rules as part of security audit. When I enable the line ``` public bool $CSPEnabled = true; ``` in Config/App.php the codeigniter 4 set some default CSP rules. I need to override it with my rules. I tried with my CSP rules below the line as in Config/App.php as below ``` public bool $CSPEnabled = true; $Config = [ 'ContentSecurityPolicy' => [ 'default-src' => 'self', 'script-src' => 'self' https://example.com/scripts/', 'style-src' => 'self', 'font-src' => 'self' https://example.com/fonts/', 'img-src' => 'self' 'unsafe-inline' data:;', 'object-src' => 'none', 'frame-ancestors' => 'none', ], ]; ``` But it's not working. Please help Thanks Anes P A
10-31-2023, 01:06 AM
(This post was last modified: 10-31-2023, 01:06 AM by postgres. Edit Reason: to align )
Dear Friends,
I got solution By adding the line Code: Header always set Content-Security-Policy "default-src 'self''unsafe-inline' https://www.google.com/ https://code.jquery.com font-src 'self' https://fonts.googleapis.com Header always set, in httpd.conf(For apache server) gave option to ovverride default CSP rule. Thanks Anes P A (10-31-2023, 01:06 AM)postgres Wrote: Dear Friends, 1. You just fooled the security audit by publishing a broken Content-Security-Policy header (check the messages in your browser console). - missing semicolon before font-src - there is a space missing between 'self' and 'unsafe-inline'. A syntactically correct CSP header should look like this: Code: "default-src 'self' 'unsafe-inline' https://www.google.com/ https://code.jquery.com; font-src 'self' https://fonts.googleapis.com 2. The Header always set in httpd.conf is not flexible and has the side effect that the CSP header will be sent with any file and HTML page. For example, you will spend a long time looking for the reason why workers do not work. The default CSP settings are in the /app/Config/ContentSecurityPolicy.php file,but if you want to change them, don't edit this file. If you need to make changes to the default CSP at runtime, you can do so by adding/setting the $response->CSP object: PHP Code: $this->response->CSP->setScriptSrc("'self' cdn.example.com"); // Specify script-src set, overrides default settings Also you can easily publish any CSP header in CI without setting $CSPEnabled = true;: PHP Code: $this->response->setHeader('Content-Security-Policy', "default-src 'self' 'unsafe-inline' https://www.google.com/ https://code.jquery.com; font-src 'self' https://fonts.googleapis.com;"); (12-30-2023, 03:23 PM)kenjis Wrote:My points:(12-30-2023, 09:46 AM)egranty Wrote: The default CSP settings are in the /app/Config/ContentSecurityPolicy.php file,but if you want to change them, don't edit this file. 1. The habit do not touch the system files of the engine - they can be restored when CMS is updated. Moreover, the developers have built in convenient methods for changing default settings. 2. Different sections of the site may have different Content Security Policy (CSP): related to payment - more strict, articles and forum - more lenient. Pages with HTTP response codes 403/404/5xx should also have a very strict CSP. 3. Some CSP directives are accompanied by additional HTTP headers. For example, frame-ancestors directive is paired with the X-Frame-Options header to provide backward compatibility with legacy browsers. The report-to directive be must be preceded by a Report-To HTTP header. It is more convenient to manage all this from one place, rather than from different modules.
Okay, thank you for your opinion.
Starting with v4.5.0, existing CSP directives can be removed at runtime. So you all can change CSP settings to a specific page more flexibly. https://github.com/codeigniter4/CodeIgniter4/pull/8220 |
Welcome Guest, Not a member yet? Register Sign In |