{"id":4120,"date":"2022-05-18T11:18:30","date_gmt":"2022-05-18T18:18:30","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4120"},"modified":"2022-05-18T11:18:32","modified_gmt":"2022-05-18T18:18:32","slug":"how-to-fix-a-missing-content-security-policy-on-a-website","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4120","title":{"rendered":"How To Fix a Missing Content-Security-Policy on a Website"},"content":{"rendered":"\n

by: Kent Ickler<\/a>\u00a0<\/p>\n\n\n\n

Content-Security-Policy-What-What?<\/strong><\/p>\n\n\n\n

Content-Security-Policy is a security header that can (and should) be included on communication from your website\u2019s server to a client. When a user goes to your website, headers are used for the client and server to exchange information about the browsing session. This is typically all done in the background unbeknownst to the user. Some of those headers can change the user experience, and some, such as the Content-Security-Policy affect how the web-browser will handle loading certain resources (like CSS files, javascript, images, etc) on the web page.<\/p>\n\n\n\n

Content-Security-Policy tells the web-browser what resource locations are trusted by the web-server and is okay to load. If a resource from an untrusted location is added to the webpage by a MiTM or in dynamic code, the browser will know that the resource isn\u2019t trusted and will fail to process that resource.<\/p>\n\n\n\n

Check if you have Content-Security-Policies already enabled<\/strong><\/p>\n\n\n\n

If you haven\u2019t heard of these headers before, you probably don\u2019t have them enabled. They aren\u2019t automatic. A quick way to check is to go to www.securityheaders.io<\/a> and do a scan of your website. You can also check in FireFox\u2019s Developer Console.<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

Identifying Your Trusted Sources<\/strong><\/p>\n\n\n\n

In our case, we needed to identify trusted resource sources. This was pretty easy to do with \u201cDeveloper Mode\u201d in FireFox. We loaded our web page, set the Content-Security-Policy, and saw how many errors the console in the Developer Panel created.  Each error was a violation of our Content-Security-Policy. We used that information to include additional sources in our policy until all our content loaded appropriately.<\/p>\n\n\n\n

Consult with your web-developers as they may be able to provide you a list of all the source locations that should be trusted.<\/p>\n\n\n\n

Create and Configure the Content-Security-Policy in Apache<\/strong><\/p>\n\n\n\n

The header we need to add will be added in the httpd.conf file (alternatively, apache.conf, etc.).<\/p>\n\n\n\n

In httpd.conf, find the section for your VirtualHost.<\/p>\n\n\n\n

Next, find your <IfModule headers_module> section. If it doesn\u2019t exist, you will need to create it and add our specific headers.<\/p>\n\n\n\n

<VirtualServer>\n\n~Bits of important stuff here~\n\n    <IfModule headers_module>\n\n    RequestHeader set X-HTTPS 1\n\nHeader set Content-Security-Policy \"default-src 'self' 'unsafe-inline' www.blackhillsinfosec.com fonts.googleapis.com;\u201d<\/strong>\n\n<\/IfModule>\n\n~more bits of important stuff~\n\n<\/VirtualServer><\/pre>\n\n\n\n
Restart Apache<\/strong><\/p>\n\n\n\n
Sudo service apache restart<\/pre>\n\n\n\n
Test that change!<\/strong><\/p>\n\n\n\n
Wow, looks like we still have some sources we need trust.  Note the sections highlighted<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Update that Header Set with a Few More Sources<\/strong><\/p>\n\n\n\n
Header set Content-Security-Policy \u201cdefault-src \u2018self\u2019 \u2018unsafe-inline\u2019 www.blackhillsinfosec.com fonts.googleapis.com fonts.static.com www.google-analytics.com<\/a>;\u201d<\/p>\n\n\n\n
Don\u2019t forget to restart Apache after your change.<\/p>\n\n\n\n
Soon, you\u2019ll have your page configured properly with Content-Security-Policies and trusted sources. Note the resource errors in the FireFox developer\u2019s console is now clear after refreshing.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Header Set Content-Security-Policy<\/strong><\/p>\n\n\n\n
Scott Helme @Scott_Helme<\/a> has done a significant amount of research and helped pave the way for web-devs to fully implement Content-Security-Policies. Here is some great content that Scott has put together to assist in the proper implementation of Content-Security-Policies.<\/p>\n\n\n\n
Content Security Policy Introduction \u2013 Link: https:\/\/scotthelme.co.uk\/content-security-policy-an-introduction\/<\/a><\/p>\n\n\n\n
Content Security Policy Cheat Sheet \u2013 Link: https:\/\/scotthelme.co.uk\/csp-cheat-sheet\/<\/a><\/p>\n\n\n\n
Soon:\u00a0Configuring Referral-Policy!<\/a><\/p>\n\n\n\n
Ref: https:\/\/www.blackhillsinfosec.com\/fix-missing-content-security-policy-website\/<\/p>\n","protected":false},"excerpt":{"rendered":"
by: Kent Ickler\u00a0 Content-Security-Policy-What-What? Content-Security-Policy is a security header that can (and should) be included on communication from your website\u2019s server to a client. When a user goes to your website, headers are used for the client and server to exchange information about the browsing session. This is typically all done in the background unbeknownst Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[104,262,5,178],"tags":[1160,1159,1158],"class_list":["post-4120","post","type-post","status-publish","format-standard","hentry","category-apache","category-centos","category-linux","category-wordpress","tag-content-security-policy","tag-fix-missing-content-security-policy","tag-missing-content-security-policy"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4120"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4120\/revisions"}],"predecessor-version":[{"id":4121,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4120\/revisions\/4121"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}