Welcome Guest, Not a member yet? Register   Sign In
How to override default CSP rule in Codeigniter 4 ?
#1
Sad 

Dear Friends,
I am using Codeigniter 4 . I need to add my CSP rules as part of security audit. When I enable the line

```
public bool $CSPEnabled = true;
```
in Config/App.php
the codeigniter 4 set some default CSP rules. I need to override it with my rules.
 
I tried with my CSP rules below the line as in Config/App.php as below

```
public bool $CSPEnabled = true;
$Config = [
    'ContentSecurityPolicy' => [
        'default-src' => 'self',
        'script-src' => 'self' https://example.com/scripts/',
        'style-src' => 'self',
        'font-src' => 'self' https://example.com/fonts/',
        'img-src' => 'self' 'unsafe-inline' data:;',
        'object-src' => 'none',
        'frame-ancestors' => 'none',
    ],
];

```
But it's not working. 

Please help

Thanks

Anes P A
Reply
#2
Thumbs Up 
(This post was last modified: 10-31-2023, 01:06 AM by postgres. Edit Reason: to align )

Dear Friends,
I got solution
By adding the line 
Code:
Header always set Content-Security-Policy "default-src 'self''unsafe-inline' https://www.google.com/ https://code.jquery.com font-src 'self' https://fonts.googleapis.com


Header always set, in httpd.conf(For apache server) gave option to ovverride default CSP rule.

Thanks

Anes P A
Reply
#3

(10-31-2023, 01:06 AM)postgres Wrote: Dear Friends,
I got solution
By adding the line
Code:
Header always set Content-Security-Policy "default-src 'self''unsafe-inline' https://www.google.com/ https://code.jquery.com font-src 'self' https://fonts.googleapis.com
Header always set, in httpd.conf(For apache server) gave option to ovverride default CSP rule.

1. You just fooled the security audit by publishing a broken Content-Security-Policy header (check the messages in your browser console).
- missing semicolon before font-src
- there is a space missing between 'self' and 'unsafe-inline'.

A syntactically correct CSP header should look like this:
Code:
"default-src 'self' 'unsafe-inline' https://www.google.com/ https://code.jquery.com; font-src 'self' https://fonts.googleapis.com
but this is a bad CSP, it does not protect XSS. It also limits the use of external images and styles.

2. The Header always set in httpd.conf is not flexible and has the side effect that the CSP header will be sent with any file and HTML page. For example, you will spend a long time looking for the reason why workers do not work.

The default CSP settings are in the /app/Config/ContentSecurityPolicy.php file,but if you want to change them, don't edit this file. If you need to make changes to the default CSP at runtime, you can do so by adding/setting the $response->CSP object:
PHP Code:
$this->response->CSP->setScriptSrc("'self' cdn.example.com");   // Specify script-src set, overrides default settings
$this->response->CSP->addScriptSrc("cdn.example.com");         // Add cdn.example.com to default's script-src set 

Also you can easily publish any CSP header in CI without setting $CSPEnabled = true;:
PHP Code:
$this->response->setHeader('Content-Security-Policy'"default-src 'self' 'unsafe-inline' https://www.google.com/ https://code.jquery.com; font-src 'self' https://fonts.googleapis.com;"); 
Reply
#4

(12-30-2023, 09:46 AM)egranty Wrote: The default CSP settings are in the /app/Config/ContentSecurityPolicy.php file,but if you want to change them, don't edit this file.

Why?
Reply
#5

(12-30-2023, 03:23 PM)kenjis Wrote:
(12-30-2023, 09:46 AM)egranty Wrote: The default CSP settings are in the /app/Config/ContentSecurityPolicy.php file,but if you want to change them, don't edit this file.

Why?
My points:

1. The habit do not touch the system files of the engine - they can be restored when CMS is updated. Moreover, the developers have built in convenient methods for changing default settings.

2. Different sections of the site may have different Content Security Policy (CSP): related to payment - more strict, articles and forum - more lenient.
Pages with HTTP response codes 403/404/5xx should also have a very strict CSP.

3. Some CSP directives are accompanied by additional HTTP headers. For example, frame-ancestors directive is paired with the X-Frame-Options header to provide backward compatibility with legacy browsers. The report-to directive be must be preceded by a Report-To HTTP header.
It is more convenient to manage all this from one place, rather than from different modules.
Reply
#6

Okay, thank you for your opinion.

Starting with v4.5.0, existing CSP directives can be removed at runtime.
So you all can change CSP settings to a specific page more flexibly.
https://github.com/codeigniter4/CodeIgniter4/pull/8220
Reply




Theme © iAndrew 2016 - Forum software by © MyBB