[BlueOnyx:21644] Content Security Policy - why it's getting important
Michael Stauber
mstauber at blueonyx.it
Sat Jan 6 19:49:55 -05 2018
Hi all,
Today I've read an interesting article that I'd like to bring to the
attention of you all. I know some of you are already using "Content
Security Policy" on your sites, but the article list a really compelling
reason why everyone should be made aware of and maybe look into it for
future implementation.
At least if your websites handle anything via forms that you want to
keep from from falling into the wrong hands. Such as usernames and
passwords, credit card data or other personal or sensitive information.
The article is sort of long, but a good read:
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
The TL;DR is:
We all know that there are ways that webpages can be hacked. This
article highlights one way, but there are tons more than that. And it's
often not easily detectable and can remain undetected for a long time.
If an intruder siphons off data, he needs to ship it out some way or
other in order to make use of it. For that exist different vectors as
well and some may be easier and others better.
However: Setting up a "Content Security Policy" for critical websites
can help to defeat a common way how the data is extracted into the hands
of the perpetrator.
Content Security Policy is an effective measure to protect your site
from XSS attacks. By whitelisting sources of approved content, you can
prevent the browser from loading malicious assets.
More info on that:
https://en.wikipedia.org/wiki/Content_Security_Policy
https://scotthelme.co.uk/content-security-policy-an-introduction/
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://content-security-policy.com/
Additionally there is a nice scanner that allows you to check websites
for security headers to see what's enabled and how that is working. For
example here is the report on www.blueonyx.it:
https://securityheaders.io/?q=www.blueonyx.it&followRedirects=on
Before someone asks: "X-Frame-Options" is indeed unconfigured there, or
you couldn't read the BlueOnyx news in the GUI. ;-)
Do we need this on the BlueOnyx GUI as well? Yes and no. In an update
released on 5th January 2018 I enabled "Referer Policy" and the
"X-XSS-Protection" for the GUI. The GUI pages themselves only use
hand-picked and vetted components that don't make any outside connection
other than to NewLinQ, www.blueonyx.it and (if you file a support ticket
via the GUI) to support.blueonyx.it. As the GUI may be accessible under
many different FQDN's (and all bound IPs) it's also impractical to lock
it down via CSP. There is also no feasible way how GUI pages could be
modified w/o any prior "root" access - in which case after the fact
measures would be moot anyway.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list