Content Security Policy Header

I have followed Jay’s videos on Ubuntu servers and found them very helpful,
Is there a video which discusses Content Security Policy Headers?
I had an occasion to check one of my websites for security. Every one of the various security checkers mentioned the absence of a Content Security Policy Header and the use of TLS 1.0 and 1.1. Although the website does support TLS 1.2 and 1.3 should I be concerned?
How do you setup a content security policy header in Ubuntu server 20.04?

It’s really an HTTP site setting, rather than an OS setting:

and

I see no answer to my question about whether or or not Jay as crated a video on this subject. That being the case do other members feel that he should create some about security in general? I would hate to think we are being shown how to install an Ubuntu Server which is not secure!

If you read the pages I linked, you will see that it’s not even an OS feature; it’s something that individual websites can optionally set. It has nothing to do with Ubuntu (or any OS) and claiming Ubuntu’s “not secure” is false and misleading.

1 Like

Totally Agree. CORS / CSP is a big subject, but, it’s not an OS issue, it’s a standard implementation / relaxation mechanism - nothing to do with the underlying OS. I think, could be wrong, that in servers like Apache / Nginx CSP / CORS is disabled by default and one must implicitly allow CSP / CORS with a server directive. These can also be implemented in the site code itself.

Likewise, implementing TLS 1.2, 1.3 is another server directive, something along the lines of:

Apache:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Nginx:
sslEnabledProtocols = “TLSv1.2, TLSv1.3”

Plus all the additional SSL stuff in your server block.

While Apache, Nginx, etc run on the Ubuntu Server, the OS is not responsible for implementing web-server protocols. That would be the responsibility of the Server Admin / Webmaster.

EDIT:

I should have been more specific about CSP and CORS. These two are similar in nature, but deal with slightly different things.To make it even more confusing, they can, and often do, work together.

CORS - allows, for example, www.homelab.com to give permission to homelab.com to read from www.homelab.com and / or combinations thereof. e.g. cross origin, in this case, subdomains.

Same Origin
http://homelab.com/home.html
http://homelab.com/about.html

Different Subdomains, Origins and Ports
https://homelab.com/home.html - different origin - note the https:// v.s. http://
http://www.homelab.com/home.html - different subdomain
http://www.homelab.com:8080/home.html - different subdomain and port

CSP - in short, allows or disallows what resources on a site can be loaded / executed (think JavaScript, CSS, image resources, etc), which can include CORS, to prevent cross site scripting attacks (XSS).

2 Likes

Your point about it being not an OS but an implementation concern is well made. You will appreciate I am a newcomer to the ‘art’ of webservers. I will have to look for information elsewhere.

73s from ex GM3OGJ

Point taken ‘my bad’ re OS security.

1 Like

I’ve not watched “all” of @Jay web-server video’s, but the subject of web security is an in-depth topic for sure.

There are many resources for both CSP and CORS. I’d say CSP is the more complex of the two as it has many aspects: Forms, base-uri’s, plugin-types, and more.

While not light reading, that would be a good start.

73’s (ex M0EHA, current KI7MT :slight_smile: )

1 Like

Thanks for the links.
It must be about 41 years since I used the callsign GM3OGJ and I am seriously out of date with callsigns. Was M0EHA a uk callsign?
73s

Yeah, M0EHA was a reciprocal call for my New England call, KE1HA. I was living / working at a tech company in York, England called Accent Optical Technologies, a former division of Bio-Rad.

Security is definitely something I’ll be getting into more, so I’m hoping I can be more helpful in that area.

Very interested to hear you say that Jay. Looking forward to your usual in depth approach. I have just had an awful time recently trying to understand file and directory permissions while using Apache. Your video did give me the basics but I had to spend some time changing and observing what happens when you get off on the wrong foot with the documentation.