CSP help

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
Post Reply
User avatar
John connor
Registered User
Posts: 2119
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

CSP help

Post by John connor » Fri Jun 21, 2019 11:59 am

Never mind. Decided it was too much of a hassle to have a CSP and omit the hundreds of external resources like YouTube, SoundCloud, etc.

User avatar
</Solidjeuh>
Registered User
Posts: 1626
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: CSP help

Post by </Solidjeuh> » Fri Jun 21, 2019 12:16 pm

What is CSP ? Christian Social Party? :lol:
Register a free account & Play!!
~~~ https://www.solidjeuh.be ~~~
Have a secret? --> https://www.tellyoursecrets.eu

Heo32
Registered User
Posts: 113
Joined: Sat Jan 07, 2017 10:08 pm

Re: CSP help

Post by Heo32 » Fri Jun 21, 2019 6:58 pm

</Solidjeuh> wrote:
Fri Jun 21, 2019 12:16 pm
What is CSP ? Christian Social Party? :lol:
Content Security Policy.

https://csp-evaluator.withgoogle.com/

I know nothing about code yet I implemented a flawless rating according to the link above link (Google's CSP Evaluator) using version 3. I use two settings depending on what I want to do with my site, "high security" and "maximum security". That's what I've called them, anyways. The one at the bottom prevents a lot of functionality, so I don't typically use it. The "high security" keeps my site mostly functional, and it doesn't really bother me or the users. To have full functionality of my website I comment out the CSP completely so the CSP is not in use, which I do when backing up the forums, backing up WordPress, working with the databases (repair and optimize), and backing up my website.

My site uses nginx. Feel free to copy and edit my CSP according to your needs:

High security:

Code: Select all

		add_header						Content-Security-Policy					"default-src 'none'; script-src 'strict-dynamic' 'nonce-9VcPx1CZeDuXn' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://secure.gravatar.com; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://apis.google.com; object-src 'none'; frame-src 'self'; worker-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; report-uri https://**********.report-uri.com/r/d/csp/enforce";
Maximum security:

Code: Select all

		add_header						Content-Security-Policy					"default-src 'none'; script-src 'strict-dynamic' 'nonce-9VcPx1CZeDuXn' 'unsafe-inline' https:; style-src 'self' https://fonts.googleapis.com; img-src 'self' data: https://secure.gravatar.com; font-src 'self' data: https://fonts.gstatic.com; connect-src 'self' https://apis.google.com; object-src 'none'; frame-src 'self'; worker-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none'; report-uri https://**********.report-uri.com/r/d/csp/enforce";
Is this for you? :arrow: Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Allow using Content-Security-Policy without unsafe-inline
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.

User avatar
John connor
Registered User
Posts: 2119
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: CSP help

Post by John connor » Fri Jun 21, 2019 9:24 pm

It's amazing how many websites don't even have a CSP. I can't implement it due to the reason I posted about having to whitelist so many external resources. In my board you can share YouTube videos, SoundCloud, you name it, it all parses. So all that needs to be fetched and omitted by the CSP. Though, with my WordPress site I can use a CSP, but my code didn't even show up at the Mozilla test site showing that I actually had a CSP. I thought I did it right, but maybe not. I know it shows up in the headers in the web console.

Here's what I got. My SAPI is Litespeed which is pretty much Apache.

Header set Content-Security-Policy default-src 'self' *.cloudflare.com *.amazonaws.com *.googleapis.com *.youtube.com script-src 'self' 'unsafe-inline'

Anyone know why that code doesn't make the Mozilla test site give me an A on having it implemented? Apparently from reading at CloudFlare, I need the script-src 'self' 'unsafe-inline' part due to hot link protection being on in CloudFlare.

User avatar
</Solidjeuh>
Registered User
Posts: 1626
Joined: Tue Mar 29, 2016 3:45 am
Location: Aalst (Belgium)
Name: Andy Dm
Contact:

Re: CSP help

Post by </Solidjeuh> » Fri Jun 21, 2019 9:28 pm

I think you are just "overdoing" security.
My server password is 250 characters, and good configured Fail2Ban.
phpBB itself is a very "safe" software. So I don't see the "need" of all that extra security ...

Oh, and don't take crappy servers ... :roll:
Register a free account & Play!!
~~~ https://www.solidjeuh.be ~~~
Have a secret? --> https://www.tellyoursecrets.eu

Heo32
Registered User
Posts: 113
Joined: Sat Jan 07, 2017 10:08 pm

Re: CSP help

Post by Heo32 » Sat Jun 22, 2019 7:10 pm

John connor wrote:
Fri Jun 21, 2019 9:24 pm
Header set Content-Security-Policy default-src 'self' *.cloudflare.com *.amazonaws.com *.googleapis.com *.youtube.com script-src 'self' 'unsafe-inline'
Remove the 'self' from default-src. It should either be 'none' or only the 3rd party links you posted.


John connor wrote:
Fri Jun 21, 2019 9:24 pm
script-src 'self' 'unsafe-inline' part due to hot link protection being on in CloudFlare.
It would be better for you to use something like this instead:

script-src 'strict-dynamic' 'nonce-9VcPx1CZeDuXn' 'unsafe-inline' https:;

Using 'strict-dynamic' is best. Don't use 'self'. Allowing 'unsafe-inline' is only a good idea if you also add 'nonce-**********' with a bunch of random letters and numbers added in there. This adds allows backwards compatibility for older browsers while preventing the security issue that gets introduced with the use of 'unsafe-inline'. Finally, if your site is using https, you should add https: at the end. You can also add http: after that if you feel like it, but it is not necessary.


</Solidjeuh> wrote:
Fri Jun 21, 2019 9:28 pm
phpBB itself is a very "safe" software. So I don't see the "need" of all that extra security ...
This is server-side hardening. It has nothing to do with phpBB directly, but if there was a security issue found in phpBB, there is a chance that some of these changes could prevent an exploit from being exploited.
Is this for you? :arrow: Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Allow using Content-Security-Policy without unsafe-inline
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.

User avatar
John connor
Registered User
Posts: 2119
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: CSP help

Post by John connor » Sun Jun 23, 2019 5:57 am

Awesome! I now have an A+ rating for my cousin's shrine. https://observatory.mozilla.org/analyze/toddexler.com


Like I said, can't implement a CSP on my board due to all of the sites that can be shared.

User avatar
John connor
Registered User
Posts: 2119
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: CSP help

Post by John connor » Sun Jun 23, 2019 6:29 am

Well scratch that. I have to disable the CSP because I can't edit WordPress pages with it on. Looking at the web console I have all kinds of script error crap I have no idea what it all means.

Heo32
Registered User
Posts: 113
Joined: Sat Jan 07, 2017 10:08 pm

Re: CSP help

Post by Heo32 » Thu Jun 27, 2019 12:01 am

John connor wrote:
Sun Jun 23, 2019 6:29 am
Well scratch that. I have to disable the CSP because I can't edit WordPress pages with it on. Looking at the web console I have all kinds of script error crap I have no idea what it all means.
I go through the same issue. I have 3 different nginx.conf files, each with different levels of security features enabled/disabled. The higher the security, the better the security ratings I get with the sacrifice being functionality. The one with no security features enabled (no CSP, etc.) is what I use temporarily in order to make WordPress and phpBB settings, make backups, etc. You should do the same. Once everything has been edited in WordPress/phpBb, etc., then you can restore the configuration file (nginx.conf?) with the CSP and other security features to allow your site to function well enough.
Is this for you? :arrow: Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Allow using Content-Security-Policy without unsafe-inline
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.

Post Reply

Return to “phpBB Discussion”