Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Send Content-Security-Policy header #203

Closed
thekaveman opened this issue Nov 18, 2021 · 1 comment · Fixed by #211
Closed

Send Content-Security-Policy header #203

thekaveman opened this issue Nov 18, 2021 · 1 comment · Fixed by #211
Assignees
Labels
security Changes to improve or maintain the availability and resilience of the app
Milestone

Comments

@thekaveman
Copy link
Member

thekaveman commented Nov 18, 2021

The Content-Security-Policy (CSP) header (with the frame-ancestors directive) replaces the now deprecated X-Frame-Options header, to instruct the browser about appropriate actions to perform if a site is included inside an <iframe>.

See more at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

We already have Django's built-in Clickjacking/X-Frame-Options features enabled. Since this app should never be run from an <iframe>, let's create another Middleware that sets the CSP header like so:

Content-Security-Policy: default-src 'self'; frame-ancestors 'none';
@thekaveman thekaveman added this to the November 2021 milestone Nov 18, 2021
@thekaveman thekaveman added this to Backlog in Benefits 2021 via automation Nov 18, 2021
@thekaveman
Copy link
Member Author

Mozilla has helpfully implemented a Middleware that we can use for this!

https://github.com/mozilla/django-csp

https://django-csp.readthedocs.io/en/latest/

@thekaveman thekaveman self-assigned this Nov 19, 2021
@thekaveman thekaveman moved this from Backlog to In progress in Benefits 2021 Nov 19, 2021
Benefits 2021 automation moved this from In progress to Done Nov 19, 2021
@thekaveman thekaveman added the security Changes to improve or maintain the availability and resilience of the app label Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Changes to improve or maintain the availability and resilience of the app
Projects
Archived in project
Benefits 2021
  
Done
Development

Successfully merging a pull request may close this issue.

1 participant