Understanding Content-Security-Policy

WorkinOnIt

Well-Known Member
Aug 3, 2016
227
30
78
UK
cPanel Access Level
Root Administrator
I am interested to prevent click jacking on my customer's website that is hosted in cPanel.

I have been researching Content-Security-Policy: frame-ancestors 'self' -

As I understand it, this prevents bad actors from copying e.g. a client login site (like a bank) into e.g. an iFrame and redirecting users to a malicious site.

However, I am a bit vague on the best way to implement CSP, especially at the single site level.

This help article seems to suggest you can simply add a line to the .htaccess file - but is it referring to the one in the public_html/ folder or at the server level ?

I want to target this policy to individual sites / or alias / parked domains on a single site.

Apache Content-Security-Policy Header
Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:

Header set Content-Security-Policy "default-src 'self';"
I also found the OWASP site information quite helpful.

Wondering if cPanel can offer some tips

Thanks
 
Last edited by a moderator:

ZenHostingTravis

Well-Known Member
PartnerNOC
May 22, 2020
275
95
28
Australia
cPanel Access Level
Root Administrator
Hi @WorkinOnIt,

There are some tips in the following thread's posts that show how to disable clickjacking using your .htaccess file.


eg

#COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
Header always append X-Frame-Options DENY
 
  • Like
Reactions: WorkinOnIt

egranty

Registered
Mar 11, 2021
1
1
3
Somewhere in Russia
cPanel Access Level
Website Owner
This help article (https://content-security-policy.com/) seems to suggest you can simply add a line to the .htaccess
Unfortunately pointed website is poorly versed in the subject. Simply adding a line to the .htaccess could have an awful consequences..

1. It's more safer to wrap headers into <IfModule mod_headers.c> block in case of mod_headers is not installed with Apache. It's not relevant for cpanel.net, but could be relevant for others, otherwise you'll get error with 500 code:

Code:
<IfModule mod_headers.c>
   Header set Content-Security-Policy "frame-ansectors 'self'"
   Header set X-Frame-Options "DENY"
</IfModule>
2. Headers from .htaccess will be published with all files (any of MIME types). This leads your PDF files and media files failed to be embedded into third party web-pages using iframe too. It makes sense to use the <FilesMatch regex> construction like:
Code:
<FilesMatch "\.(php|phps|html)$">
Header set Content-Security-Policy "... directives here ..."
</Files>
to exclude some MIME-types not to be accompanied by CSP headers. It can be actual for workers, because for these Firefox follows CSP been sent with javascript files.

In general, .htaccess or web server config file is not the best way to publish the CSP as it makes it difficult to manage the header and use nonce-value. It's suitable for parked domains or some easy cases.
 
  • Like
Reactions: WorkinOnIt

WorkinOnIt

Well-Known Member
Aug 3, 2016
227
30
78
UK
cPanel Access Level
Root Administrator
Very helpful, thanks all @egranty some typos in your example.

Here is what I am currently doing:

<FilesMatch "\.(php|html)$">
Header set Content-Security-Policy "frame-ancestors 'self'"
</FilesMatch>


However, this helpful, this evaluator page from google shows the following warning:

[tick ] frame-ancestors
[error] script-src [missing]: script-src directive is missing.
[error] object-src [missing]: Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?


CSP-Evaluator.jpg
 
Last edited:
  • Like
Reactions: cPRex

WorkinOnIt

Well-Known Member
Aug 3, 2016
227
30
78
UK
cPanel Access Level
Root Administrator
OK I solved all the issues now -

I am using this in my .htaccess:


Header set Content-Security-Policy "frame-ancestors 'self'; upgrade-insecure-requests; default-src 'self'; script-src 'self' data: cdnjs.cloudflare.com Analytics Tools & Solutions for Your Business - Google Analytics reCAPTCHA https://googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; object-src 'self'; frame-src data: google.com; img-src 'self' data: gstatic.com; font-src 'self' fonts.gstatic.com; connect-src 'self' base-uri 'self'; form-action 'self'; worker-src 'none';"


However, I am not sure if I am supposed to wrap the above in the

<FilesMatch "\.(php|html)$">

</FilesMatch>

???


Also - on the front end of the site is a WordPress installation. Currently I am not applying the above to that - but only to the folder "example.com/customers" - as this is a folder where customers login.

Would it be better to add the CSP to the entire site? I did briefly try to add it to Wordpress - but there were dozens of scripts that were suddenly not loading. It seems like adding each script to the SRC and CONNECT parameters would be a very long job.



Here is a useful site to use as a checker:

 
Last edited: