Elxis CMS Forum

Support => Security => Topic started by: perseas on September 27, 2017, 23:30:06

Title: Content Security Policy CSP
Post by: perseas on September 27, 2017, 23:30:06

Hello there,

I decided to use the CSP below on my elxis site (Version 4.5) with SSL certificate

default-src 'none'; script-src 'self' www.google-analytics.com ajax.googleapis.com; connect-src 'self'; img-src 'self'; style-src 'self'; https: data;

Can i write this direckly in the text field of Content Security Policy CSP (Control panel > Settings > Security > Content Security Policy CSP)

 or i must write something else?

Can you advise me ?

Best regards

Title: Re: Content Security Policy CSP
Post by: datahell on September 30, 2017, 19:37:25

Yes. What ever you write there it will be applied by Elxis to the "Content-Security-Policy" http header. You can read more about CSP here (https://content-security-policy.com/).

Please note that by using CSP you might have issues with external loaded javascript, css and image files. Make sure the js/css/image files your site is using are inside the script-src/style-src/img-src properties. Elxis does not uses external sources and so you have nothing to fear from Elxis. If any problem arise it will be by your own http code. Using CSP is recommended, go ahead!

Title: Re: Content Security Policy CSP
Post by: perseas on September 30, 2017, 19:42:45

Many Thanks for your information, Datahell !

Title: Re: Content Security Policy CSP
Post by: datahell on September 30, 2017, 19:57:02

Something I forgot to tell you is that you will face problems in pages with inline css/js... So be careful.

Title: Re: Content Security Policy CSP
Post by: perseas on September 30, 2017, 19:59:57

I will try on a test site first. I know that is very risky to use it.