Content Security Policy

[krzysztofrewak]

Question: do we want set up Content Security Policy? It's a security standard helping with all bad stuff bad people could do with a website, including clickjacking, malicious XSS and other. I was really encouraged to implement it on my last year web security workshops, but honestly I have no experience with that other than this workshop.

Implementation would be extremely easy, just adding one line to server in nginx config:

add_header Content-Security-Policy "default-src 'self';";

Adjusting current codebase wouldn't be hard too. Mostly because we don't have a lot of code right now. ;)

[mlencki]

We can try. What exactly we need to change in the current codebase?

[krzysztofrewak]

In our part? Probably even anything (as soon #49 will be merged to develop) but there'll be a problem with Nova. I opened first Nova file included into our project (resources/views/nova/telescope-link.php) and in second line (!) there is a inline javascript call to opening new window. We can (and should) replace it with <a target="_blank" probably, but there're plenty of shit in Nova vendor files and I don't now how to handle them. Maybe disabling CSP on dashboard routes would be an option?

Btw, nice article: https://sekurak.pl/wszystko-o-csp-2-0-content-security-policy-jako-uniwersalny-straznik-bezpieczenstwa-aplikacji-webowej/

[mateuszchodor]

If there is an option, we should definitely try to implement it.

[krzysztofrewak]

Clipboard: https://github.com/spatie/laravel-csp