Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send Content-Security-Policy header #203

Closed
thekaveman opened this issue Nov 18, 2021 · 1 comment · Fixed by #211
Closed

Send Content-Security-Policy header #203

thekaveman opened this issue Nov 18, 2021 · 1 comment · Fixed by #211
Assignees
@thekaveman
Labels
security Changes to improve or maintain the availability and resilience of the app
Projects
Benefits 2021
Milestone
November 2021

Comments

@thekaveman
Copy link
Member

thekaveman commented Nov 18, 2021
edited
Loading

The Content-Security-Policy (CSP) header (with the frame-ancestors directive) replaces the now deprecated X-Frame-Options header, to instruct the browser about appropriate actions to perform if a site is included inside an <iframe>.

See more at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

We already have Django's built-in Clickjacking/X-Frame-Options features enabled. Since this app should never be run from an <iframe>, let's create another Middleware that sets the CSP header like so:

Content-Security-Policy: default-src 'self'; frame-ancestors 'none';
@thekaveman thekaveman added this to the November 2021 milestone Nov 18, 2021
@thekaveman thekaveman added this to Backlog in Benefits 2021 via automation Nov 18, 2021
@thekaveman thekaveman mentioned this issue Nov 18, 2021
Closed
@thekaveman
Copy link
Member Author

Mozilla has helpfully implemented a Middleware that we can use for this!

https://github.com/mozilla/django-csp

https://django-csp.readthedocs.io/en/latest/

@thekaveman thekaveman self-assigned this Nov 19, 2021
@thekaveman thekaveman moved this from Backlog to In progress in Benefits 2021 Nov 19, 2021
This was referenced Nov 19, 2021
Merged
Closed
Benefits 2021 automation moved this from In progress to Done Nov 19, 2021
@thekaveman thekaveman added the security Changes to improve or maintain the availability and resilience of the app label Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thekaveman thekaveman

Labels
security Changes to improve or maintain the availability and resilience of the app
Projects
Digital Services
Archived in project
Benefits 2021
  
Done
Milestone
November 2021
Development

Successfully merging a pull request may close this issue.

Implement Content Security Policy cal-itp/benefits
1 participant
@thekaveman