About Features Downloads Getting Started Documentation Events Support GitHub

Love VuFind®? Consider becoming a financial supporter. Your support helps build a better VuFind®!

VuFind Documentation

Site Tools

You are here: start » administration » security » content_security_policy
Trace:
Warning: This page has not been updated in over over a year and may be outdated or deprecated.
administration:security:content_security_policy

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
administration:security:content_security_policy [2020/06/30 10:12] – [Enforcing vs. Reporting] demiankatzadministration:security:content_security_policy [2024/04/11 13:51] (current) demiankatz
Line 1: Line 1:
 ====== Content Security Policy ====== ====== Content Security Policy ======
  
-:!: // This feature was introduced in VuFind 7.0. //+:!: // This feature was introduced in VuFind® 7.0. //
  
 HTTP responses can include a Content Security Policy header which provides restrictions on the behavior of the client in order ot provide improved security. VuFind supports the creation of CSP headers to restrict web browser behavior and prevent common security vulnerabilities such as cross-site scripting. HTTP responses can include a Content Security Policy header which provides restrictions on the behavior of the client in order ot provide improved security. VuFind supports the creation of CSP headers to restrict web browser behavior and prevent common security vulnerabilities such as cross-site scripting.
Line 7: Line 7:
 You can learn more at the Mozilla Developer Resources pages about [[https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP| Content Security Policies]] and [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy|CSP Headers]]. You can learn more at the Mozilla Developer Resources pages about [[https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP| Content Security Policies]] and [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy|CSP Headers]].
  
-===== Configuring VuFind's CSP =====+===== Configuring VuFind®'s CSP =====
  
 ==== Configuration File ==== ==== Configuration File ====
  
-All settings related to Content Security Policies can be found in [[https://github.com/vufind-org/vufind/blob/master/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]].+All settings related to Content Security Policies can be found in [[https://github.com/vufind-org/vufind/blob/dev/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]].
  
 ==== Enforcing vs. Reporting ==== ==== Enforcing vs. Reporting ====
  
-The CSP can be configured to either block violating content, or simply to report problems. VuFind is set to reporting mode by default to avoid backward compatibility breaks.+The CSP can be configured to either block violating content, or simply to report problems. VuFind® is set to reporting mode by default to avoid backward compatibility breaks.
  
 === Receiving Reports === === Receiving Reports ===
  
-When in reporting mode, you can set the report-to setting in [[https://github.com/vufind-org/vufind/blob/master/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]] to send reports of violations to a URI that implements a simple API. VuFind does not currently include a built-in reporting endpoint, but several options exist, including:+When in reporting mode, you can set the report-to setting in [[https://github.com/vufind-org/vufind/blob/dev/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]] to send reports of violations to a URI that implements a simple API. VuFind® does not currently include a built-in reporting endpoint, but several options exist, including:
  
   * [[https://github.com/seek-oss/csp-server|seek-oss/csp-server]] - an open source, Node.js-based solution   * [[https://github.com/seek-oss/csp-server|seek-oss/csp-server]] - an open source, Node.js-based solution
Line 30: Line 30:
 Here are some tips and recommendations: Here are some tips and recommendations:
  
-  * By default, VuFind is set up to be fairly permissive about which scripts it will execute; if you are not using any options that rely on external scripts, or if you can reliably eliminate the use of non-HTTPS files, you should consider applying more restrictive settings than the defaults. +  * By default, VuFind® is set up to be fairly permissive about which scripts it will execute; if you are not using any options that rely on external scripts, or if you can reliably eliminate the use of non-HTTPS files, you should consider applying more restrictive settings than the defaults. 
-  * By default, VuFind assumes that all CSS styles, images and fonts will be served up locally; if you are using any services or customizations that pull these resources in from third-party sites, you will need to set up more permissive settings. +  * By default, VuFind® assumes that all CSS styles, images and fonts will be served up locally; if you are using any services (like Google fonts for example) or customizations that pull these resources in from third-party sites, you will need to set up more permissive settings. 
-  * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should turn off report_only settings for your production site in order to improve security.+  * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should change 'enable' settings from 'report_only' to 'true' for your production site in order to improve security.
  
  
 ---- struct data ---- ---- struct data ----
 +properties.Page Owner : 
 ---- ----
  
administration/security/content_security_policy.1593511949.txt.gz · Last modified: 2020/06/30 10:12 by demiankatz