堆栈内存溢出
  简体   繁体   English

导航链接的内容安全策略

[英]content security policy for navigation links

 原文  2022-11-29 10:07:32       angular/ spring-boot/ xss/ content-security-policy

问题描述

In my project, I have backend (spring boot) and frontend (angular).在我的项目中,我有后端(spring boot)和前端(angular)。 The cybersecurity team wants CSP header in response-headers on every page.网络安全团队希望在每个页面的响应标头中包含 CSP header。

I have provided them CSP header on all my endpoints authenticated or unauthenticated, but they also want it on navigation links which renders only from frontend like '/login'.我已经在我所有经过身份验证或未经身份验证的端点上向他们提供了 CSP header,但他们也希望它出现在仅从前端呈现的导航链接上,例如“/登录”。

So, I have provided them CSP as meta-tag by adding it in index.html.因此,我通过将 CSP 添加到 index.html 中,为他们提供了 CSP 作为元标记。 Still, they want it as a response header.尽管如此,他们仍希望将其作为回应 header。

Now, my questions现在,我的问题

1: how important it is to have CSP on pages which do not load on the basis of backend interaction? 1:在后端交互的基础上不加载的页面上有CSP有多重要?

2: what are the best ways to achieve this? 2:实现这一目标的最佳方法是什么?

3: and because our cybersecurity team is adamant, how can I add CSP on response header on these kinds of pages? 3:因为我们的网络安全团队很坚定,我如何在这些页面上的响应 header 上添加 CSP?

1 个解决方案

解决方案1
 1 已采纳  2022-11-29 14:41:28

Addressing your questions in order:按顺序回答你的问题:

  1. It is still possible to find an XXS in a page that does not communicate with the backend.还是有可能在不与后台通信的页面中发现XXS。 For example if the attacker can execute arbitrary JavaScript on your login page, they can in theory use this to steal your users passwords.例如,如果攻击者可以在您的登录页面上执行任意 JavaScript,理论上他们可以使用它来窃取您的用户密码。 CSP can mitigate these attacks and should therefore be used here. CSP 可以减轻这些攻击,因此应在此处使用。

  2. Do you mean CSP meta-tag vs header?你是说 CSP 元标签还是 header? If this is the case I would prefer them to be in the header. If an attacker somehow can upload a HTML document and it gets served, they could in theory get around the CSP.如果是这种情况,我希望它们位于 header 中。如果攻击者可以通过某种方式上传 HTML 文档并获得服务,理论上他们可以绕过 CSP。

  3. This depends on your webserver.这取决于您的网络服务器。 If you are using Spring Boot to serve the frontend files you can enable it with spring security as described in the docs :如果您使用 Spring Boot 来提供前端文件,您可以按照文档中所述使用 spring 安全性启用它:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            // ...
            .headers(headers -> headers
                .contentSecurityPolicy(csp -> csp
                    .policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
                )
            );
        return http.build();
    }
}

Other webservers have other configuration for this, popular ones are apache or nginx. From my experience there is typically a webserver other than spring boot that serves the frontend files.其他网络服务器对此有其他配置,流行的是 apache 或 nginx。根据我的经验,通常有一个 spring 启动以外的网络服务器为前端文件提供服务。 If you only serve a JSON REST-API over spring boot, it is actually not necessary to set the CSP in spring boot.如果您只在 spring 引导上提供 JSON REST-API,实际上没有必要在 spring 引导中设置 CSP。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 内容安全政策指令 - Content Security Policy directive Angular >= 8 的内容安全策略 - Content Security Policy with Angular >= 8 内容安全策略问题 header - Issue with content security policy header 如何使用javascript禁用内容安全策略 - how to disable Content security policy using javascript 在 Angular 的内容安全策略中将域列入白名单 - Whitelisting domains in Content Security Policy for Angular Angular 中未实施内容安全策略 (CSP) - Content Security Policy (CSP) not implemented in Angular 内容安全策略指令:拒绝加载字体 - Content Security Policy directive: Refused to load the font CORS环境中违反内容安全政策 - Content Security Policy violation in CORS environment 内容安全策略阻止 Angular 样式 - Content Security Policy blocks Angular Styles chrome 扩展内容安全策略1 - chrome extension Content Security Policy1
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM