-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrading HTTPS security on HOT websites #127
Comments
Talking with @willemarcel it seems you faced some challenges implementing this, so I wanted to share some tips from my personal experience implementing the recommendations on other sites:
https://infosec.mozilla.org/guidelines/web_security#content-security-policy For this there are at least 3 important factors: Have a list of external urls where you load resources from (or try to self-host most libraries to improve privacy) and analyze how much inline js and css you use on your code (to try to plan to move these to a file instead). Please, ping me if you have other questions where my experience can be helpful. Cheers. |
@nukeador Thank you for the guidelines. There are multiple challenges in play here.
The HOT website is hosted on Github pages which, sadly, does not allow setting HTTP headers. So we are restricted to http
Missing any domains in the CSP whitelist causes drastic problems with functionality. Therefore, I had to know every single resource included in the HOT website. I used a browser tool that generates CSP policies and loaded (what I thought was) all the pages so that the tool can capture a list of resources being loaded. I overestimated the coverage here and the implementation broke the website and several blogposts. I'm trying to now find tools (or build a simple one myself) that read the sitemap and visit all the pages in the sitemap to build a list of resources. Alternatively, I could use the In the end, it seems like using the sitemap.xml to crawl all pages and gather resources seems like the most reliable way to go. I'll keep this ticket updated as I make progress. |
Do you have specific browsers in mind? According to this table all major browsers have full compatibility with the main CSP attributes that the observatory recommends to change: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#browser_compatibility My experience implementing CSP thought meta tags on github pages recently didn't resulted into compatibility issues.
This can be quite complex yes, specially if you want optimize for any existing external resource, that's why doing CSP in a second phase is advised. I would say that the security recommendations is to have control over external resources loaded, so allowing anyone to add images from any domain might be a policy change to consider. What other sites have done is to fetch and copy locally all these images to avoid the burden of having a huge allow list. This also applies to external css and js, where most of the times the most productive approach is to copy them locally to have full control on the code that is executed. |
Hi,
I've noticed that some HOT sites are scoring really low on the HTTPS observatory. What this means is that they might be target for different attack vectors and techniques (XSS, Man-in-the-middle...)
https://observatory.mozilla.org/analyze/tasks.hotosm.org
https://observatory.mozilla.org/analyze/www.hotosm.org
It would be good to also run this over other sites under HOT's control.
Cheers.
The text was updated successfully, but these errors were encountered: