Permalink
Browse files

Configuring: mention CSP-Report-Only header (#689)

  • Loading branch information...
PavelJurasek authored and dg committed Sep 30, 2018
1 parent 7794a7e commit d3d6ece3e46a0d23ac56cd44b91739251e703c58
Showing with 20 additions and 12 deletions.
  1. +6 −2 cs/configuring.texy
  2. +14 −10 en/configuring.texy
@@ -201,18 +201,22 @@ http:
frames: ... # ovlivňuje hlavičku X-Frame-Options

headers:
X-Powered-By: MyCMS # custom HTTP header
X-Powered-By: MyCMS # odešle vlastní HTTP hlavičku

csp: # Content Security Policy
script-src: [
nonce # for browsers that support CSP2
self, unsafe-inline # for browsers that support CSP1
]

cspReportOnly: # Content Security Policy Report Only (od nette/http 2.4.10)
default-src: self
report-uri: 'https://my-report-uri-endpoint'
\--

Framework z bezpečnostních důvodů odesílá hlavičku `X-Frame-Options: SAMEORIGIN`, která říká, že stránku lze zobrazit uvnitř jiné stránky (v elementu IFRAME) pouze pokud se nachází na stejné doméně. To může být v některých situacích nežádoucí (například pokud vyvíjíte aplikaci pro Facebook), chování lze proto vypnout nastavením položky `frames: true`.

Můžete ovlivňovat i další odesílané hlavičky nastavením http.headers. V tomto příkladě nastavujeme hlavičku Content-Security-Policy která nám dovolí stahovat externí soubory (img, script apod.) pouze z naší domény. Více o hlavičce [Content-Security-Policy |http://content-security-policy.com/].
V příkladě nastavujeme hlavičky `Content-Security-Policy` & `Content-Security-Policy-Report-Only`. Více informací najdete v [dokumentaci CSP |https://content-security-policy.com].


HTTP proxy
@@ -193,22 +193,26 @@ HTTP Headers
============

/--neon
http:
frames: ... # header X-Frame-Options
http:
frames: ... # header X-Frame-Options

headers:
X-Powered-By: MyCMS # sends custom HTTP header

headers:
X-Powered-By: MyCMS # custom HTTP header
csp: # Content Security Policy
script-src: [
nonce # for browsers that support CSP2
self, unsafe-inline # for browsers that support CSP1
]

csp: # Content Security Policy
script-src: [
nonce # for browsers that support CSP2
self, unsafe-inline # for browsers that support CSP1
]
cspReportOnly: # Content Security Policy Report Only (since nette/http 2.4.10)
default-src: self
report-uri: 'https://my-report-uri-endpoint'
\--

For security reasons Nette Framework sends HTTP header `X-Frame-Options: SAMEORIGIN` by default, so that the page can be embedded in iframe only from pages on the same domain. This behavior may be unwanted in certain situations (for example if you are developing a facebook application). You can override this setting by `frames: true`, `frames: http://allowed-host.com` or `frames: false`.

We can also influence other sent headers by setting `http.headers`. In this example, we set a `Content-Security-Policy` header that allows us to access external files (img, script, etc.) only from our domain. For more about the [Content-Security-Policy |http://content-security-policy.com/] header.
In example, we set `Content-Security-Policy` & `Content-Security-Policy-Report-Only` headers. For more informations see [CSP documentation |http://content-security-policy.com].


HTTP Proxies

0 comments on commit d3d6ece

Please sign in to comment.