Understanding Content-Security-Policy

[WorkinOnIt]

I am interested to prevent click jacking on my customer's website that is hosted in cPanel.

I have been researching Content-Security-Policy: frame-ancestors 'self' -

As I understand it, this prevents bad actors from copying e.g. a client login site (like a bank) into e.g. an iFrame and redirecting users to a malicious site.

However, I am a bit vague on the best way to implement CSP, especially at the single site level.

This help article seems to suggest you can simply add a line to the .htaccess file - but is it referring to the one in the public_html/ folder or at the server level ?

I want to target this policy to individual sites / or alias / parked domains on a single site.

Apache Content-Security-Policy Header
Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:

Header set Content-Security-Policy "default-src 'self';"

I also found the OWASP site information quite helpful.

Wondering if cPanel can offer some tips

Thanks

 

[ZenHostingTravis]

Hi @WorkinOnIt,

There are some tips in the following thread's posts that show how to disable clickjacking using your .htaccess file.

SOLVED - Tips for .htaccess

Hello Everybody, This .htaccess tutorial is for anybody that has access to a cPanel. With an .htaccess file you can secure your site from a lot of negative traffic from Bots, Scanners, Scrapers, Hackers and otherwise nefarious actions against your site. By using the examples shown below you can...

forums.cpanel.net

eg

#COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
Header always append X-Frame-Options DENY

 

[egranty]

This help article (https://content-security-policy.com/) seems to suggest you can simply add a line to the .htaccess

Unfortunately pointed website is poorly versed in the subject. Simply adding a line to the .htaccess could have an awful consequences..

1. It's more safer to wrap headers into <IfModule mod_headers.c> block in case of mod_headers is not installed with Apache. It's not relevant for cpanel.net, but could be relevant for others, otherwise you'll get error with 500 code:

<IfModule mod_headers.c>
   Header set Content-Security-Policy "frame-ansectors 'self'"
   Header set X-Frame-Options "DENY"
</IfModule>

2. Headers from .htaccess will be published with all files (any of MIME types). This leads your PDF files and media files failed to be embedded into third party web-pages using iframe too. It makes sense to use the <FilesMatch regex> construction like:

<FilesMatch "\.(php|phps|html)$">
Header set Content-Security-Policy "... directives here ..."
</Files>

to exclude some MIME-types not to be accompanied by CSP headers. It can be actual for workers, because for these Firefox follows CSP been sent with javascript files.

In general, .htaccess or web server config file is not the best way to publish the CSP as it makes it difficult to manage the header and use nonce-value. It's suitable for parked domains or some easy cases.

 

[cPRex]

Thanks for the post, @ZenHostingTravis !

 

[WorkinOnIt]

Very helpful, thanks all @egranty some typos in your example.

Here is what I am currently doing:

<FilesMatch "\.(php|html)$">
Header set Content-Security-Policy "frame-ancestors 'self'"
</FilesMatch>

However, this helpful, this evaluator page from google shows the following warning:

[tick ] frame-ancestors
[error] script-src [missing]: script-src directive is missing.
[error] object-src [missing]: Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?

 

[WorkinOnIt]

OK I solved all the issues now -

I am using this in my .htaccess:


Header set Content-Security-Policy "frame-ancestors 'self'; upgrade-insecure-requests; default-src 'self'; script-src 'self' data: cdnjs.cloudflare.com Analytics Tools & Solutions for Your Business - Google Analytics reCAPTCHA https://googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; object-src 'self'; frame-src data: google.com; img-src 'self' data: gstatic.com; font-src 'self' fonts.gstatic.com; connect-src 'self' base-uri 'self'; form-action 'self'; worker-src 'none';"


However, I am not sure if I am supposed to wrap the above in the

<FilesMatch "\.(php|html)$">

</FilesMatch>

???


Also - on the front end of the site is a WordPress installation. Currently I am not applying the above to that - but only to the folder "example.com/customers" - as this is a folder where customers login.

Would it be better to add the CSP to the entire site? I did briefly try to add it to Wordpress - but there were dozens of scripts that were suddenly not loading. It seems like adding each script to the SRC and CONNECT parameters would be a very long job.



Here is a useful site to use as a checker:

Homepage

Orca Security is agentless, workload-deep, context-aware cloud infrastructure security and compliance for IaaS platforms AWS, Azure, and GCP.

cspscanner.com