-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an example of a "strict" security policy to the configuration docs #156
Comments
Hi @meggles711, can you be more specific about what you'd change? We've generally left it to the app to configure their CSP policy. |
Hi @g-k! I'd like to change the default to a strict policy appropriate for most applications. This would involve two changes to the current configuration.
This would still allow and require the app to configure the CSP policy for their needs but provides a strict baseline to build from. It also provides alternatives for older browsers. |
I think it would be better to use documentation for this. The guide could cover setting up a CSP with either a basic strict default (suitable for new projects), or using tools like report-uri.com or Mozilla Laboratory to build a CSP with report-only mode for a while to check it's working okay. |
That doesn't seem like a very safe policy to start with for a number of reasons: not least the refactoring required to support noncing all scripts on modern browsers, but also there's no control of style sheets. What about adding preconfigured policies that a user could import into their settings instead? |
Here are some examples of preconfigured CSP settings that you can use in your Django settings:
|
Currently the defaults are configured so that, with very minimal set up, you get a policy of I would prefer some documentation or links to trusted sources that discuss how to compose a strict CSP policy, since all websites are unique in what they can or cannot accomplish. I would welcome at least a good base configuration for the configuration docs. |
Hey Y’all, I’m an intern at Google and am working on adding or improving web security features for open source frameworks.
I think the current default CSP configuration could be made more friendly to first time CSP users. Many developers will install security tools without configuring them. It would be nice to provide a default configuration that would be appropriate for most applications. The configuration recommended here, under CSP Policy Example, should work for most applications and is a good starting point for others.
I would also be interested in updating the documentation to explain the new default configuration and adding links to external resources to help developers new to CSP understand how to best implement it.
Please let me know your thoughts and recommendations on approaching this change.
The text was updated successfully, but these errors were encountered: