Content-Security-Policy (CSP) filter
The Content-Security-Policy (CSP) filter enables a fine-grained security policy, mitigating risks such as Cross-Site Scripting (XSS).
Why is a CSP necessary?
A Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, most notably Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft and site defacement to the distribution of malware.
Modern web applications are complex, often integrating third-party scripts, styles, and other resources. Without a CSP, a web browser trusts and executes any code it receives from the server. If an attacker injects a malicious script into one of your pages, the browser runs it, potentially compromising your users' data and the integrity of your application.
By defining a CSP, you can tell the browser which sources are trustworthy and should be allowed to execute scripts or load other resources. For example, you can restrict scripts to load only from your own domain or from a specific set of trusted third-party domains. The browser blocks any attempts to load resources from untrusted sources.
Per-site configuration
Previous to Magnolia 6.4.2, setting the Content-Security-Policy header was a global configuration applied to all sites, requiring manipulation of the filter chain.
The improved functionality allows you to configure CSP for each site directly within its configuration.
You can add the CSP configuration directly under a site’s definition in your multisite module configuration.
modules:
multisite:
config:
sites:
travel:
csp:
cspHeaderValue: "default-src 'self' https: data: 'unsafe-inline';"In this example, the cspHeaderValue specifies that the default sources for content are the site’s own origin ('self'), HTTPS URLs (https:), data URIs (data:), and inline scripts/styles ('unsafe-inline').
This means only resources from these sources can be loaded by the browser.