CSP and thirtybees

[the.rampage.rado]

As you probably know this is a security topic since couple of years.

Be default thirtybees (and PS in that matter) does not come with default policy and on this test a vanilla installation fails with F.

One way to implement some of the most important headers is to add this code to the beginning of your htaccess file:

 

<IfModule mod_headers.c>
   Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com *.cloudflare.com *.googletagmanager.com *.google-analytics.com *.youtube.com *.google.com;"
   Header set X-XSS-Protection "1; mode=block"
   Header always append X-Frame-Options SAMEORIGIN
   Header set X-Content-Type-Options nosniff
   Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
   Header set Referrer-Policy: strict-origin-when-cross-origin
   Header unset X-Powered-By
   Header always unset X-Powered-By
</IfModule>

This code is far from perfect, unsafe-inline and unsafe-eval should be used very carefully but should we remove them completely if we're not sure if we have embedded js. This code gives A on this test but keep in mind that on the first row you should add all external resources you use and on each row the settings should be customised to your needs. This is what appears to work for me.

Another (nicer) solution is this free module from nenes25 which adds further options for logging, debugging and testing in BO. Unfortunately the support for PS1.6.1.x that is advertised in his blog does not translate in the latest 0.4 version and I'm unable to install it on my test setup. 

 

What are you using to fix this?