Enabling Content Security Policy (CSP)
111 views
Skip to first unread message
Derrick Xu
Feb 14, 2022, 2:12:05 PM2/14/22
to archivematica
Hello, I am trying to enable CSP according to the documentation here: https://www.archivematica.org/en/docs/archivematica-1.13/admin-manual/security/security/
Step 2 says,
"A small set of header policies are loaded from the settings.components.csp module, but you can provide your own overrides through a Python module and set its path in the CSP_SETTINGS_FILE Django setting."
Where can I find this "settings.components.csp module"? Is it something I have to install separately? How can I tell if CSP is working / if I set the boolean correctly?
Thanks for any help.
Step 2 says,
"A small set of header policies are loaded from the settings.components.csp module, but you can provide your own overrides through a Python module and set its path in the CSP_SETTINGS_FILE Django setting."
Where can I find this "settings.components.csp module"? Is it something I have to install separately? How can I tell if CSP is working / if I set the boolean correctly?
Thanks for any help.
Douglas Cerna
Feb 14, 2022, 5:24:43 PM2/14/22
to archiv...@googlegroups.com
Hello,
Where can I find this "settings.components.csp module"?
I think it depends on your OS and installation method, but it should be in the src/settings/components subdirectory of the dashboard code.
For instance, in a test server (Ubuntu 18.04 setup with Ansible) that I have access to it's on:
$ cat /opt/archivematica/archivematica/src/dashboard/src/settings/components/csp.py
CSP_DEFAULT_SRC = ["'none'"]
CSP_SCRIPT_SRC = ["'self'", "'unsafe-inline'", "'unsafe-eval'"]
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]
CSP_IMG_SRC = ["'self'", "data:"]
CSP_FONT_SRC = ["'self'", "data:"]
# for preview file pane in the appraisal tab
CSP_FRAME_SRC = ["'self'"]
# for /status
CSP_CONNECT_SRC = ["'self'"]
CSP_DEFAULT_SRC = ["'none'"]
CSP_SCRIPT_SRC = ["'self'", "'unsafe-inline'", "'unsafe-eval'"]
CSP_STYLE_SRC = ["'self'", "'unsafe-inline'"]
CSP_IMG_SRC = ["'self'", "data:"]
CSP_FONT_SRC = ["'self'", "data:"]
# for preview file pane in the appraisal tab
CSP_FRAME_SRC = ["'self'"]
# for /status
CSP_CONNECT_SRC = ["'self'"]
Is it something I have to install separately?
No, it's included in Archivematica since version 1.13.
How can I tell if CSP is working / if I set the boolean correctly?
You should get a Content-Security-Policy header in your responses.
For example, I can check the login view locally with curl like this:
$ curl -s -D - http://localhost:62080/administration/accounts/login/ -o /dev/null
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 14 Feb 2022 22:19:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3214
Connection: keep-alive
Expires: Mon, 14 Feb 2022 22:19:32 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Vary: Cookie, Accept-Language
Content-Language: en
Content-Security-Policy: connect-src 'self'; default-src 'none'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'
Set-Cookie: csrftoken=xpgBtqXlKzrm2noibcxsfOsoVTA0uRCeuoQZQc3SaPE7oNJvSywwIWjnprFGjj47; expires=Mon, 13-Feb-2023 22:19:32 GMT; Max-Age=31449600; Path=/
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 14 Feb 2022 22:19:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3214
Connection: keep-alive
Expires: Mon, 14 Feb 2022 22:19:32 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Vary: Cookie, Accept-Language
Content-Language: en
Content-Security-Policy: connect-src 'self'; default-src 'none'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'
Set-Cookie: csrftoken=xpgBtqXlKzrm2noibcxsfOsoVTA0uRCeuoQZQc3SaPE7oNJvSywwIWjnprFGjj47; expires=Mon, 13-Feb-2023 22:19:32 GMT; Max-Age=31449600; Path=/
Hope this helps.
--
You received this message because you are subscribed to the Google Groups "archivematica" group.
To unsubscribe from this group and stop receiving emails from it, send an email to archivematic...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/archivematica/e57e9ac9-52ed-4e30-92ec-ef0425d9e561n%40googlegroups.com.
--
Derrick Xu
Feb 15, 2022, 12:08:31 PM2/15/22
to archivematica
Thank you, that was very helpful. We are on RHEL so unfortunately I could not find the module file at that path, but the default policy is fine for now.
Reply all
Reply to author
Forward
0 new messages