CSP avec script-src 'unsafe-inline' penalizes

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
sbastian
Posts: 14
Joined: Tue May 17, 2016 11:17 am
Location: France
Contact:

CSP avec script-src 'unsafe-inline' penalizes

Post by sbastian » Fri Dec 27, 2024 7:56 pm

Good evening,

"without a CSP with script-src 'unsafe-inline', which penalizes the security of my site, I cannot have cmsimple_xh in edit mode what to do? "

Excerpt from Gemini IA's answers :lol:
4. Contact cmsimple_xh support:
Specific solutions: The cmsimple_xh developer may know specific solutions to make the CMS compatible with a more restrictive CSP.
Updates: It is possible that a future update of cmsimple_xh will solve this problem.

Merci pour votre aide !

Michael_G
Posts: 207
Joined: Thu Feb 18, 2016 11:01 pm
Contact:

Re: CSP avec script-src 'unsafe-inline' penalizes

Post by Michael_G » Sat Dec 28, 2024 4:49 am

Hi sbastian,

Presumably you have implemented CSP via your .htaccess file?
Then you will actually get error messages from your browser if you log into your CMSimple_XH as an admin and want to edit pages.

But that's just you and there is no danger for your website, which is still secured for all other visitors with your CSP header.

There are two solutions for this, the first of which is cumbersome and could be really dangerous and the second is elegant and protects your website even if you yourself are logged in as admin:

1. Deactivate your .htaccess file by deleting or rename it while you make admin work on your website.
2. Use the Plugin Sec-Header_XH developed by olape:
https://www.cmsimple-xh.org/de/?Plugin- ... h_one=0019

Advantage of this Plugin:
All settings will be done with it and your .htaccess file needs no modifications nor a second version w/o CSP.
And while you are working online on your website, the CSP restrictions are off only for you and will not disturb you.
Ciao
Michael

Let's Encrypt!

sbastian
Posts: 14
Joined: Tue May 17, 2016 11:17 am
Location: France
Contact:

Re: CSP avec script-src 'unsafe-inline' penalizes

Post by sbastian » Sat Dec 28, 2024 9:12 am

Hello,

Thanks for your quick reply...

I followed your advice, and implemented my CSP with the Sec-Header_XH plugin, and removing my CSP from the .htaccess file
It's great, because with this plugin, the edit mode works well...

However, I modified the default configuration a bit, to improve the security score of my CSP.
For this, I use: https://developer.mozilla.org/en-US/observatory
With the basic configuration I have B+ (80)
To go to A+ (125), I modified or added this:
default-src modified to 'none'
script-src removed 'unsafe-inline'
style-src added a 'self'
According to Mozilla it would be missing (?) a frame-ancestors, notified by a red cross

I did not change anything for the other parameters.

Thank you for your advice and to Olaf for his great plugin!

Stéphane

Michael_G
Posts: 207
Joined: Thu Feb 18, 2016 11:01 pm
Contact:

Re: CSP avec script-src 'unsafe-inline' penalizes

Post by Michael_G » Mon Dec 30, 2024 8:41 am

Hi Stéphane,

I'm glad I was able to help you quickly.
It's a difficult topic, which unfortunately too few website operators take seriously.
I now have years of experience with this, but it also took me a few months to achieve A+
with a score of 135/100.

But to answer your question:
You can add missing fields into the /sec_header/config/config.php file.
My config.php:

Code: Select all

<?php

$plugin_cf['sec_header']['referrer_policy']="same-origin";
$plugin_cf['sec_header']['x-content_type-options']="true";
$plugin_cf['sec_header']['x-xss_protection']="true";
$plugin_cf['sec_header']['csp_activate']="true";
$plugin_cf['sec_header']['csp_upgrade-insecure-requests']="";
$plugin_cf['sec_header']['csp_report-only']="";
$plugin_cf['sec_header']['csp_default-src']="'none'";
$plugin_cf['sec_header']['csp_base-uri']="'self'";
$plugin_cf['sec_header']['csp_connect-src']="'self'";
$plugin_cf['sec_header']['csp_font-src']="'self'";
$plugin_cf['sec_header']['csp_form-action']="'self'";
$plugin_cf['sec_header']['csp_frame-src']="'none'";
$plugin_cf['sec_header']['csp_frame-ancestors']="'none'";
$plugin_cf['sec_header']['csp_img-src']="'self'";
$plugin_cf['sec_header']['csp_manifest-src']="'self'";
$plugin_cf['sec_header']['csp_media-src']="'self'";
$plugin_cf['sec_header']['csp_object-src']="'self'";
$plugin_cf['sec_header']['csp_script-src']="'self'";
$plugin_cf['sec_header']['csp_style-src']="'self'";
$plugin_cf['sec_header']['csp_report-to']="";
$plugin_cf['sec_header']['csp_report-uri']="";
$plugin_cf['sec_header']['pp_activate']="true";
$plugin_cf['sec_header']['pp_feature-policy-activate']="true";
$plugin_cf['sec_header']['pp_interest-cohort']="true";
$plugin_cf['sec_header']['pp_accelerometer']="'none'";
$plugin_cf['sec_header']['pp_ambient-light-sensor']="'none'";
$plugin_cf['sec_header']['pp_autoplay']="'none'";
$plugin_cf['sec_header']['pp_battery']="'none'";
$plugin_cf['sec_header']['pp_camera']="'none'";
$plugin_cf['sec_header']['pp_display-capture']="'none'";
$plugin_cf['sec_header']['pp_document-domain']="'none'";
$plugin_cf['sec_header']['pp_encrypted-media']="'none'";
$plugin_cf['sec_header']['pp_execution-while-not-rendered']="'none'";
$plugin_cf['sec_header']['pp_execution-while-out-of-viewport']="'none'";
$plugin_cf['sec_header']['pp_fullscreen']="'self'";
$plugin_cf['sec_header']['pp_geolocation']="'self'";
$plugin_cf['sec_header']['pp_gyroscope']="'none'";
$plugin_cf['sec_header']['pp_layout-animations']="'self'";
$plugin_cf['sec_header']['pp_legacy-image-formats']="'self'";
$plugin_cf['sec_header']['pp_magnetometer']="'none'";
$plugin_cf['sec_header']['pp_microphone']="'none'";
$plugin_cf['sec_header']['pp_midi']="'none'";
$plugin_cf['sec_header']['pp_navigation-override']="'none'";
$plugin_cf['sec_header']['pp_oversized-images']="'self'";
$plugin_cf['sec_header']['pp_payment']="'none'";
$plugin_cf['sec_header']['pp_picture-in-picture']="'none'";
$plugin_cf['sec_header']['pp_publickey-credentials-get']="'none'";
$plugin_cf['sec_header']['pp_sync-xhr']="'none'";
$plugin_cf['sec_header']['pp_usb']="'none'";
$plugin_cf['sec_header']['pp_wake-lock']="'none'";
$plugin_cf['sec_header']['pp_screen-wake-lock']="'none'";
$plugin_cf['sec_header']['pp_web-share']="'none'";
$plugin_cf['sec_header']['pp_xr-spatial-tracking']="'none'";
$plugin_cf['sec_header']['coep']="require-corp";
$plugin_cf['sec_header']['coep_report-only']="";
$plugin_cf['sec_header']['corp']="same-origin";
$plugin_cf['sec_header']['coop']="same-origin";
$plugin_cf['sec_header']['coop_report-only']="";
Ciao
Michael

Let's Encrypt!

sbastian
Posts: 14
Joined: Tue May 17, 2016 11:17 am
Location: France
Contact:

Re: CSP avec script-src 'unsafe-inline' penalizes

Post by sbastian » Wed Jan 01, 2025 7:29 pm

Hello and happy new year 2025...

Thank you for your example of a config... actually, it is very simple to add parameters CSP... but I maxes out at A+ 115, if I don't want to lose some of the features... but hey, it's still A+ !

However, surfing a bit on the internet, I see that there are a multitude of other possible parameters other than those in the CPS, but which are not yet listed in the plugin Olaf...
Sec_header is currently at version 1.0b2...

Thank you Michael, thank you Olaf

Stéphane

Michael_G
Posts: 207
Joined: Thu Feb 18, 2016 11:01 pm
Contact:

Re: CSP avec script-src 'unsafe-inline' penalizes

Post by Michael_G » Thu Jan 02, 2025 6:38 am

Hello Stéphane, happy new year!

Congratulations for reaching A+ with a score of 115!

The missing 20 to 135 you can get if you study the following websites and edit your domain config for DNS CAA.

My recommendations:
https://securityheaders.com/
https://letsencrypt.org/docs/caa/
https://www.ssllabs.com/ssltest/

The last 5 you can only get if your website is…
Preloaded via the HTTP Strict Transport Security (HSTS) preloading process:
https://hstspreload.org/

Read these info very carefully and use it only, if you are sure you can use HSTS every time and you have a reliable certificate.
Ciao
Michael

Let's Encrypt!

Post Reply