Some ways can be found for an attacker to load malicious sources out of your area. If they’ll entry the underlying web site, they’ll add a <script>
tag and reference something they’d need. CMS that render content material dynamically, e.g., WordPress, are a favourite goal amongst dangerous actors.
However, it’s possible you’ll wish to load further sources your self. Such sources embody type sheets, fonts, scripts, and so on.; the identical area or another may host them. Therefore, one wants fine-grained management over which sources are allowed and which aren’t. It’s the objective of the Content material Safety Coverage
HTTP header.
Content material Safety Coverage (CSP) is a pc safety normal launched to forestall cross-site scripting (XSS), clickjacking and different code injection assaults ensuing from execution of malicious content material within the trusted net web page context.
Content material-Safety-Coverage: default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'self';
The coverage permits photos, scripts, type submission, and CSS from the identical origin. Nonetheless, it disallows another sources to load.
Let’s pause for a bit. Astute readers most likely have realized that the configuration of HTTP headers within the earlier sections was generic. Any normal net server such because the Apache HTTP server or reverse proxy, e.g., Nginx, can shortly obtain the identical.
CSP, nonetheless, is one other beast. There’s no generic configuration; you could arrange the header in line with the underlying website. Whereas legacy servers/reverse proxies enable fine-grained configuration, they typically have two drawbacks:
- Downtime
-
You have to restart the server for the brand new configuration to take impact.
- No native Steady Deployment integration
-
You have to deploy each the brand new model of the positioning and the configuration on the identical time. It requires an “admin” API that legacy options lack generally.
Apache APISIX provides a sizzling reload characteristic and an administrative HTTP endpoint.
Now, to the configuration:
curl -i http://apisix:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/*",
"plugins": {
"response-rewrite": {
"headers": {
"Content material-Safety-Coverage": "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'self';"
}
}
}
}'