From a9268393974dd356eb308d28d581e75a4e14bdc5 Mon Sep 17 00:00:00 2001 From: Steve Breker Date: Wed, 25 Oct 2023 07:51:26 -0700 Subject: [PATCH] Fixes and rewording --- admin-manual/security/csp-headers.rst | 153 ++++++++++++++------------ 1 file changed, 82 insertions(+), 71 deletions(-) diff --git a/admin-manual/security/csp-headers.rst b/admin-manual/security/csp-headers.rst index 704f7410..1f77dc89 100644 --- a/admin-manual/security/csp-headers.rst +++ b/admin-manual/security/csp-headers.rst @@ -1,25 +1,32 @@ =============================== -Content security policy headers +Content Security Policy Headers =============================== .. _CSP: https://en.wikipedia.org/wiki/Content_Security_Policy -Content Security Policy or `CSP`_ is "a computer security standard introduced -to prevent cross-site scripting (XSS), clickjacking, and other code injection -attacks resulting from execution of malicious content in the trusted web page -context" (Wikipedia). CSPs are implemented as HTTP response headers that modern -browsers use to enhance the security of web pages. - -AtoM now implements CSP headers when Bootstrap 5 based themes are in use. - -Brand new installations of AtoM 2.8 will have a default CSP header implementation -activated by default. - -This default configuration is a baseline that works with the upgraded Bootstrap 5 -based Dominion theme. - -High level implementation example ---------------------------------- +Content Security Policy (CSP) headers are a critical component of web security, +serving as a robust defense against a wide range of online threats. These +headers, which are implemented on web servers and embedded within web pages, +define a set of directives that instruct a browser on how to handle and restrict +the execution of various web resources, such as scripts, stylesheets, and +images. + +The primary function of CSP headers is to mitigate the risks associated with +cross-site scripting (XSS) attacks, data injection attacks, and other malicious +activities that exploit the trust model of web applications. By specifying which +sources of content are permitted, CSP headers help prevent unauthorized code +execution and reduce the attack surface, enhancing the overall security posture +of web applications. + +Starting in AtoM 2.8, AtoM has built in support for CSP headers when Bootstrap 5 +based themes are in use. When installing AtoM 2.8 from scratch, there's +a pre-configured CSP directive setting in place and CSP headers will be in use by +default. These default settings serve as a foundation compatible with the upgraded +Bootstrap 5 based Dominion theme and can be used as a base for custom themes based +on Dominion. + +Content Security Policy headers +------------------------------- In a high-level example of web security using Content Security Policy (CSP), let's consider a scenario. When a user's web browser sends a request to a server @@ -39,56 +46,65 @@ is allowed to run on the webpage. In doing so, CSP effectively protects against XSS attacks and other security threats, making the user's browsing experience safer and more secure. -```mermaid - sequenceDiagram - participant Browser - participant Server +.. mermaid:: - Browser ->> Server: HTTP Request - note over Server: Generate unique nonce and
store in session variable - note over Server: Build CSP header directive including nonce to use in reponse + sequenceDiagram + participant Browser + participant Server - note over Server: Tag each inline script with nonce - Server ->> Browser: HTTP Response - note over Browser: Verify reponse sources
against values in CSP directive
rejecting any that do not match -``` + Browser ->> Server: HTTP Request + note over Server: Generate unique nonce and
store in session variable + note over Server: Build CSP header directive including nonce to use in reponse + note over Server: Tag each inline script with nonce + Server ->> Browser: HTTP Response + note over Browser: Verify reponse sources
against values in CSP directive
rejecting any that do not match -Default implementation for the Bootstrap 5 Dominion theme +Default Implementation for the Bootstrap 5 Dominion Theme --------------------------------------------------------- -The ``Content-Security-Policy`` header value is made up of one or more -directives, where multiple directives are separated with a semicolon (``;``). +The ``Content-Security-Policy`` header encompasses one or more +directives. Multiple directives get delineated with a semicolon (``;``). -The ``default-src`` directive does not automatically cover iframes, so we -can also use the ``frame-ancestors`` directive to specify that the use of -elements such as ````, ``