Content security policy

I put my new site through an online security check. Several problems were found.

  1. No content security policy.
    I found a post in this Forum dated 2015 about this. But nothing more recent. Is this something that I need to deal with in the Apache config, or in Grav?

Grav seems to have a lot of security features already, so is a security policy neeeded?

  1. Strict transport security. In general, I wonder if it is necessary to deal with this warning. Second, it seems to be an HTTP header setting. How should this best be done with Grav?

  2. vulnerabilities due to Jquery 2.2.4 (another post). Eliminating all Jquery 2.1 dependencies seems to be quite laborious and associated with the Theme I chose.

So I looked into this further.

It seems the best place to handle HTTP header is in the server configuration. I use Apache 2.4, but searching on line yields similar for NGINX etc.

  1. Strict Transport
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

to the config file for the HTTPS !!! part of the domain (adding to the HTTP part did not work for me).

  1. Strict Policy
    In principle the same, but setting the policy is more difficult as GRAV and Themes source files from CDNs.

As an example, because I have PayPal buttons and a map from Thunderforest, but do NOT assume this will work for yourself, I have

Header set Content-Security-Policy "default-src 'self' *.paypal.com *.unpkg.com *.thunderforest.com;"

Enabling and setting Security Headers is a general website security topic and as far as I can tell there’s nothing Grav specific about it. I did learn a lot by reading Scott Helme’s blog articles. Using Apache I had a go with adding security headers to the default Grav .htaccess file.

The site securityheaders.com is a great help to see how you’re security is improving as you add more headers. Unfortunately the site I was working on didn’t go live but I remember the only real issue I had was with trying to run Grav without any inline Javascript.

Thanks for the feedback.

Actually, I have had to revert the content policy header. As you say, lots of little things stopped working.

I have not worked out all the wrinkles. For example, various plugins do not load correctly, even though I seem to have specified the source correctly.

And, as you say, inline javascript has to be eliminated.