Warning: This page has not been updated in over over a year and may be outdated or deprecated.
administration:security:content_security_policy
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
administration:security:content_security_policy [2020/06/29 12:14] – demiankatz | administration:security:content_security_policy [2020/06/29 18:22] – [Content Security Policy] demiankatz | ||
---|---|---|---|
Line 5: | Line 5: | ||
HTTP responses can include a Content Security Policy header which provides restrictions on the behavior of the client in order ot provide improved security. VuFind supports the creation of CSP headers to restrict web browser behavior and prevent common security vulnerabilities such as cross-site scripting. | HTTP responses can include a Content Security Policy header which provides restrictions on the behavior of the client in order ot provide improved security. VuFind supports the creation of CSP headers to restrict web browser behavior and prevent common security vulnerabilities such as cross-site scripting. | ||
- | You can learn more at the [[https:// | + | You can learn more at the Mozilla Developer Resources pages about [[https:// |
===== Configuring VuFind' | ===== Configuring VuFind' | ||
- | // Details coming soon. // | + | ==== Configuration File ==== |
+ | All settings related to Content Security Policies can be found in contentsecuritypolicy.ini. | ||
+ | |||
+ | ==== Enforcing vs. Reporting ==== | ||
+ | |||
+ | The CSP can be configured to either block violating content, or simply to report problems. VuFind is set to reporting mode by default to avoid backward compatibility breaks. | ||
+ | |||
+ | === Receiving Reports === | ||
+ | |||
+ | When in reporting mode, you can set the report-to setting in contentsecuritypolicy.ini to send reports of violations to a URI that implements a simple API. VuFind does not currently include a built-in reporting endpoint, but several options exist, including: | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
===== Best Practices / Recommendations ===== | ===== Best Practices / Recommendations ===== | ||
administration/security/content_security_policy.txt · Last modified: 2024/04/11 13:51 by demiankatz