Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE: Content-Security-Policy-Header #5177

Open
1 task done
t-heuser opened this issue Jul 8, 2024 · 1 comment
Open
1 task done

FEATURE: Content-Security-Policy-Header #5177

t-heuser opened this issue Jul 8, 2024 · 1 comment
Labels
Feature

Comments

@t-heuser
Copy link

t-heuser commented Jul 8, 2024
edited
Loading

Is there an existing issue for this topic?

  • I have searched the existing issues

Description

I'd love to see the Content-Security-Policy-Header (CSP) to be implemented in the NEOS core for backend and frontend.

It would make NEOS projects more secure per default, it could mitigate XSS-attacks for example.

Possible Solution

There is already an existing package for NEOS which adds CSP, but it's very old and not working anymore. But I guess it will be very useful for some inspiration.

I tried to repair the package by myself but they were issues with nonces and cache, like others described in this slack thread.
@bwaidelich
Copy link
Member

Just one note (as mentioned before):
Whatever the implementation is, it should not be based on Fusion in my opinion because that bakes the CSP rules into the content cache (which in turn means that caches have to be flushed whenever they change – unless we manage to put them into some dedicated cache segment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bwaidelich @t-heuser