Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.15] Nonce Changes #84

Merged
merged 1 commit into from Dec 19, 2023
Merged

[1.15] Nonce Changes #84

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
30 changes: 24 additions & 6 deletions docs/admin/security.md
View file
Open in desktop
Expand Up @@ -68,10 +68,31 @@ To localize error message you have to define a new message file with the followi
Web Security Configuration
---------------------

HumHub 1.4 comes with a build in web security configuration used to set security headers and csp rules. The default security
HumHub comes with a build in web security configuration used to set security headers and csp rules. The default security
configuration can be found at `protected/humhub/config/web.php`.

Since the default security settings are rather loose, you may want to align those settings to your own requirements.
### Disable Javascript Nonce

Since HumHub 1.15, Javascript CSP Nonce is required and enabled by default. To disable this, please add following lines to your configuration.

**protected/config/web.php:**

```php
return [
'modules' => [
'web' => [
'security' => [
'csp' => [
'nonce' => false
]
]
]
]
]
```

### Strict CSP Settings

The strictest CSP settings for your installation highly depend on the used features as installed modules, configured oembed provider or
custom iframe pages etc.

Expand Down Expand Up @@ -174,10 +195,7 @@ while enforcing the csp rule.
**CSP Nonce:**

The csp also supports a [nonce](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)
settings for your `script-src`. This can be enabled by setting `nonce => true` within your custom security configuration.
If enabled modern browsers will only execute scripts containing a generated nonce token.

> Note: Since this feature is rather new, some modules may do not support this feature.
settings for your `script-src`. Modern browsers will only execute scripts containing a generated nonce token.

> Note: Some settings as the nonce configuration, may not be supported by some modules. In case you notice modules not working
properly with your security configuration, please contact the module owner or refer to the module description. Also check the
Expand Down