we are trying to implement security headers on our website and one of them is Content-Security-Policy.
I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.
Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.
Is there any easy workaround for this issue that we are facing?
If anyone finds this (like I did) and wants to add nonce in the Content-Security-Header to Umbraco v8, it can be done with a mixture of Umbraco UserComposers, OWIN, and HTML Helpers:
public class NonceComposer : IUserComposer
{
public void Compose(Composition composition)
{
UmbracoDefaultOwinStartup.MiddlewareConfigured += UmbracoDefaultOwinStartup_MiddlewareConfigured;
}
private void UmbracoDefaultOwinStartup_MiddlewareConfigured(object sender, OwinMiddlewareConfiguredEventArgs e)
{
SetupNonce(e.AppBuilder);
}
private void SetupNonce(IAppBuilder app)
{
app.Use((context, next) =>
{
var rng = new RNGCryptoServiceProvider();
var nonceBytes = new byte[32];
rng.GetBytes(nonceBytes);
var nonce = Convert.ToBase64String(nonceBytes);
context.Set("ScriptNonce", nonce);
//annoyingly, we can't get the current headers here
string policy = string.Format(
" default-src 'self' 'nonce-{0}' *.gstatic.com *.googleapis.com *.openstreetmap.org *.cloudflare.com *.googletagmanager.com *.google-analytics.com;" +
" script-src 'self' 'nonce-{0}' *.googletagmanager.com *.google-analytics.com;" +
" style-src 'self' 'nonce-{0}' *.gstatic.com *.googleapis.com *.openstreetmap.org *.cloudflare.com *.googletagmanager.com *.google-analytics.com"
, nonce);
context.Response.Headers.Set("Content-Security-Policy", policy);
return next();
});
}
}
Html Helper
public static class NonceHelper
{
public static IHtmlString GetTheNonce(this HtmlHelper helper)
{
var owinContext = helper.ViewContext.HttpContext.GetOwinContext();
return MvcHtmlString.Create(owinContext.Get<string>("ScriptNonce"));
}
}
You can then use it in .cshtml files like this:
<script nonce="@Html.GetTheNonce()">
(As long as you add a using statement at the top of the .cshtml file for whichever namespace the NonceHelper sits in)
You should also remove any settings of the Content-Security-Header in the .config files. It's technically possible to combine them, but I couldn't get it to work properly.
Content-Security-Policy
Hello everyone,
we are trying to implement security headers on our website and one of them is Content-Security-Policy. I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.
Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.
Is there any easy workaround for this issue that we are facing?
Kind Regards
I wrote about this in depth here: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/
Basically you need to ignore umbraco paths like so:
Hi Sebastiaan,
Do you have an updated link? It seems that the link now goes to default Umbraco installation screen.
Thank you :)
Kind Regards,
Gary
Hi Sebastiaan,
this worked thank you a lot!
If anyone finds this (like I did) and wants to add nonce in the Content-Security-Header to Umbraco v8, it can be done with a mixture of Umbraco UserComposers, OWIN, and HTML Helpers:
Html Helper
You can then use it in .cshtml files like this:
(As long as you add a using statement at the top of the .cshtml file for whichever namespace the NonceHelper sits in)
You should also remove any settings of the Content-Security-Header in the .config files. It's technically possible to combine them, but I couldn't get it to work properly.
is working on a reply...