Koozali.org: home of the SME Server

Content-Security-Policy Template

Offline frifri

  • *
  • 108
  • +0/-0
Content-Security-Policy Template
« on: June 08, 2016, 12:40:23 PM »
Hi all,

I want to make a httpd.conf-template for enabling 'Content Security Policy' on VirtualHosts.

info :
http://content-security-policy.com/
https://securityheaders.io

This is what i tried, but it doesn't work :

Code: [Select]
{
    use esmith::AccountsDB;
    my $accounts = esmith::AccountsDB->open_ro;
    my $CSP = $accounts->get_prop($ibay, "CSP") || "";

    if ($CSP ne '')
    {
    $OUT .= "    Header set Content-Security-Policy \"$CSP\"\n";
    }
}

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Content-Security-Policy Template
« Reply #1 on: June 08, 2016, 01:05:39 PM »
This is what i tried, but it doesn't work
Doesn't work is a bit too vague. Please give us some details (where did you wirte this custom templates, and what isn't working as expected)
C'est la fin du monde !!! :lol:

Offline frifri

  • *
  • 108
  • +0/-0
Re: Content-Security-Policy Template
« Reply #2 on: June 08, 2016, 02:20:20 PM »
Hi Daniël,

I get a lot of these :

Code: [Select]
WARNING in /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates //etc/httpd/conf/httpd.conf/80VirtualHosts line 38.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/06CSP: Use of uninitialized value $Text::Template::ERROR in concatenation (.) or string at /usr/share/perl5/vendor_perl/esmith/templates.pm line 579.
WARNING in /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/06CSP: ERROR: Cannot process template /etc/e-smith/templates-custom//etc/httpd/conf/httpd.conf/VirtualHosts/06CSP: at /etc/e-smith/templates//etc/httpd/conf/httpd.conf/80VirtualHosts line 38

F.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Content-Security-Policy Template
« Reply #3 on: June 08, 2016, 02:24:55 PM »
$ibays is not defined globaly. Try replacing it with $virtualHostContent
C'est la fin du monde !!! :lol:

Offline frifri

  • *
  • 108
  • +0/-0
Re: Content-Security-Policy Template
« Reply #4 on: June 08, 2016, 10:41:51 PM »
Thanks Daniël !

This custom-template does what i need :

Code: [Select]
{
    use esmith::AccountsDB;
    my $accounts = esmith::AccountsDB->open_ro;
    my $ibay = $virtualHostContent;
    my $CSP = $accounts->get_prop($ibay, "CSP") || "";

    if ($CSP ne '')
    {
    $OUT .= "    # Content-Security-Policy\n";
    $OUT .= "    Header set Content-Security-Policy \"$CSP\"\n";
    }
}

F.

Offline Jean-Philippe Pialasse

  • *
  • 2,721
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Content-Security-Policy Template
« Reply #5 on: June 09, 2016, 08:30:32 AM »
could it be of common use to add this option as the regular template ?

if so we could open a NFR against SME10 and maybe backport it to SME9

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Content-Security-Policy Template
« Reply #6 on: June 09, 2016, 08:58:26 AM »
I agree, please do, TIA

Offline frifri

  • *
  • 108
  • +0/-0
Re: Content-Security-Policy Template
« Reply #7 on: June 09, 2016, 08:59:16 AM »
It could, but it needs more documentation.

Server-Manager needs at least CSP="default-src 'self'; script-src 'unsafe-inline'; style-src 'self' 'unsafe-inline';" ...

F.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Content-Security-Policy Template
« Reply #8 on: June 09, 2016, 11:00:32 AM »
please, open a NFR, attach you code and add all your observations, thank you