Warning: This page has not been updated in over over a year and may be outdated or deprecated.
administration:security:content_security_policy
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
administration:security:content_security_policy [2020/06/30 05:43] – [Enforcing vs. Reporting] xmorave2 | administration:security:content_security_policy [2024/04/11 13:51] (current) – demiankatz | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Content Security Policy ====== | ====== Content Security Policy ====== | ||
- | :!: // This feature was introduced in VuFind | + | :!: // This feature was introduced in VuFind® |
HTTP responses can include a Content Security Policy header which provides restrictions on the behavior of the client in order ot provide improved security. VuFind supports the creation of CSP headers to restrict web browser behavior and prevent common security vulnerabilities such as cross-site scripting. | HTTP responses can include a Content Security Policy header which provides restrictions on the behavior of the client in order ot provide improved security. VuFind supports the creation of CSP headers to restrict web browser behavior and prevent common security vulnerabilities such as cross-site scripting. | ||
Line 7: | Line 7: | ||
You can learn more at the Mozilla Developer Resources pages about [[https:// | You can learn more at the Mozilla Developer Resources pages about [[https:// | ||
- | ===== Configuring | + | ===== Configuring |
==== Configuration File ==== | ==== Configuration File ==== | ||
- | All settings related to Content Security Policies can be found in [[https:// | + | All settings related to Content Security Policies can be found in [[https:// |
==== Enforcing vs. Reporting ==== | ==== Enforcing vs. Reporting ==== | ||
- | The CSP can be configured to either block violating content, or simply to report problems. | + | The CSP can be configured to either block violating content, or simply to report problems. |
=== Receiving Reports === | === Receiving Reports === | ||
- | When in reporting mode, you can set the report-to setting in [[https:// | + | When in reporting mode, you can set the report-to setting in [[https:// |
* [[https:// | * [[https:// | ||
* [[https:// | * [[https:// | ||
- | * [[https:// | + | * [[https:// |
All violations are usually reported in browser' | All violations are usually reported in browser' | ||
Line 30: | Line 30: | ||
Here are some tips and recommendations: | Here are some tips and recommendations: | ||
- | * By default, | + | * By default, |
- | * By default, | + | * By default, |
- | * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should | + | * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should |
---- struct data ---- | ---- struct data ---- | ||
+ | properties.Page Owner : | ||
---- | ---- | ||
administration/security/content_security_policy.txt · Last modified: 2024/04/11 13:51 by demiankatz