Closes #880 (closed)
The two first commits are not directly related, but were needed to test production-like CSP headers in development.
-
Removed calls to eval()in javascript code (needed for a somewhat safe CSP) -
Added X-Content-Type-Options: nosniffheader to prevent some exploits (cf https://docs.djangoproject.com/en/2.2/ref/middleware/#x-content-type-options) -
Added X-XSS-Protection: 1; mode=block¶header to prevent some XSS vulnerabilities (cf https://docs.djangoproject.com/en/2.2/ref/middleware/#x-xss-protection-1-mode-block) -
Added a CSP that should prevent most of the most dangerous exploits in case of a successful XSS attack (or similar)
About the CSP
This is my first time implementing a CSP ever, so please, feel free to point out any mistake. I'd really like a review on this specific bit.
I've used https://developer.mozilla.org/fr/docs/Web/HTTP/CSP and https://csp-evaluator.withgoogle.com/ as my main resources, the proposed CSP is:
default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:The 'unsafe-inline' value for the style-src leaves some room in case of an attack, but I lack the time to track down and remove all those inlined styles whithin the codebase (most of which are, I suspect, introduced in dependencies).
However, I've ensured we don't load JS scripts from anywhere else, and don't allow calls to eval or stuff like that.