Hi,

At https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers 
I have summarize my work on HTTP Security Headers

I have done the easy part, ie all headers but Content-Security-Policy. They are 
grouped in RequestHandler.renderView() just before rendering the view

For Content-Security-Policy I'd like to use the safer one OOTB ie: 
resp.setHeader("Content-Security-Policy", "default-src 'self'");

This means that all resources links should be local. The resources types are 
script, object (plugins), style, img, media, frame, font, connect and form.

No need to say that it's very ambitious and not for today.

The 1st task to handle is to remove as much as possible JavaScript snippets and 
have as much as possible JavaScript files.

There are already few Jiras about that and we are slowly heading in the right 
direction.

It's not sure we can reach this very ambitious goal and the good news is that 
it's not a problem if we don't.

When we will hit cases where local it's not possible then we can define so 
called nonce to be sure the resources are loaded from the right place.

In no case we should OOTB use the lazy unsafe-inline and eval-inline.

To not block anything for the moment I have committed a simple most restrictive 
Content-Security-Policy-Report-Only header at r1812720

Then we can look at the issues using browsers tools (there are so much)

The next step is to report the errors (when there will not be too much) in the 
log using a report-uri

And ultimately to use OOTB the most simple and constraining policy, with 
exceptions of course (as ever).

Note: if we encounter performance issue we can comment out the current 
Content-Security-Policy-Report-Only

Jacques

Reply via email to