Resolve "Improve the security via HTTP headers" (!826) · Merge requests · funkwhale / funkwhale

Agate requested to merge 880-header-security into develop Jul 10, 2019

The two first commits are not directly related, but were needed to test production-like CSP headers in development.

Removed calls to eval() in javascript code (needed for a somewhat safe CSP)
Added X-Content-Type-Options: nosniff header to prevent some exploits (cf https://docs.djangoproject.com/en/2.2/ref/middleware/#x-content-type-options)
Added X-XSS-Protection: 1; mode=block¶ header to prevent some XSS vulnerabilities (cf https://docs.djangoproject.com/en/2.2/ref/middleware/#x-xss-protection-1-mode-block)
Added a CSP that should prevent most of the most dangerous exploits in case of a successful XSS attack (or similar)

About the CSP

This is my first time implementing a CSP ever, so please, feel free to point out any mistake. I'd really like a review on this specific bit.

I've used https://developer.mozilla.org/fr/docs/Web/HTTP/CSP and https://csp-evaluator.withgoogle.com/ as my main resources, the proposed CSP is:

default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:

The 'unsafe-inline' value for the style-src leaves some room in case of an attack, but I lack the time to track down and remove all those inlined styles whithin the codebase (most of which are, I suspect, introduced in dependencies).

However, I've ensured we don't load JS scripts from anywhere else, and don't allow calls to eval or stuff like that.

Resolve "Improve the security via HTTP headers"

About the CSP

Merge request reports