Hi, All,
We output our HTML5 documentation from Flare to a public "portal".
Our Product Security Incident Response Team (PSIRT) have just scanned our Docs subdomain, and have found that the docs portal has no CSP and CSP-report-only headers.
Where should I start looking to be able to resolve this issue?
Many thanks
Andrew
CSP and CSP-report-only Headers in Flare Output
-
- Propeller Head
- Posts: 50
- Joined: Tue Mar 05, 2019 2:43 am
Re: CSP and CSP-report-only Headers in Flare Output
The headers are a web server config thing, generally speaking. Although there is a meta tag, from reading this page it seems the options are more limited than setting up the server to send the headers.
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Re: CSP and CSP-report-only Headers in Flare Output
To be honest, I'd expect your security folks to advise you on how to fix this.
How you do that depends on your server. Our server uses IIS, so I was able to add CSP stuff by uploading a single web.config file.
I could've probably used meta tags to do the same thing, but fixing it at the server level was way easier than adding meta tags to hundreds or thousands of individual HTML pages.
How you do that depends on your server. Our server uses IIS, so I was able to add CSP stuff by uploading a single web.config file.
I could've probably used meta tags to do the same thing, but fixing it at the server level was way easier than adding meta tags to hundreds or thousands of individual HTML pages.
-
- Propeller Head
- Posts: 50
- Joined: Tue Mar 05, 2019 2:43 am
Re: CSP and CSP-report-only Headers in Flare Output
Many thanks for your responses - and yes, on further investigation, I understand that it is best fixed at a server-level, rather than adding metadata into each topic/resource from the Flare end.
Which is good, because it means I can hand the fix off to another team
Which is good, because it means I can hand the fix off to another team