Merge pull request #6426 from erikjanwestendorp/csp

sofietoft · web-flow · commit 586dda47d464 · 2024-09-26T09:17:04.000+02:00
Add CSP health check article
diff --git a/14/umbraco-cms/SUMMARY.md b/14/umbraco-cms/SUMMARY.md
@@ -208,6 +208,7 @@
 * [Health Check](extending/health-check/README.md)
   * [Health Check Guides](extending/health-check/guides/README.md)
     * [Click-Jacking Protection](extending/health-check/guides/clickjackingprotection.md)
+    * [Content Content Security Policy (CSP)](extending/health-check/guides/contentsecuritypolicy.md)
     * [Content/MIME Sniffing Protection](extending/health-check/guides/contentsniffingprotection.md)
     * [Cross-site scripting Protection (X-XSS-Protection header)](extending/health-check/guides/crosssitescriptingprotection.md)
     * [Debug Compilation Mode](extending/health-check/guides/debugcompilationmode.md)
diff --git a/14/umbraco-cms/extending/health-check/guides/README.md b/14/umbraco-cms/extending/health-check/guides/README.md
@@ -4,6 +4,8 @@ Below is a list of guides for Health Checks in Umbraco.
 
 ## [Click jack protection](clickjackingprotection.md)
 
+## [Content Security Policy](contentsecuritypolicy.md)
+
 ## [Content sniffing protection](contentsniffingprotection.md)
 
 ## [Cross-site scripting protection](crosssitescriptingprotection.md)
diff --git a/14/umbraco-cms/extending/health-check/guides/contentsecuritypolicy.md b/14/umbraco-cms/extending/health-check/guides/contentsecuritypolicy.md
@@ -0,0 +1,50 @@
+# Content Security Policy (CSP)
+
+_This check verifies if your site has a Content Security Policy (CSP) header to defend against Cross-Site Scripting (XSS) and data injection attacks._
+
+## How to fix this health check
+This health check can be fixed by adding a header before the response is started.
+
+Preferable you use a security library like [NWebSec](https://docs.nwebsec.com/).
+
+### Adding a Content Security Policy (CSP) using NWebSec
+
+If you take a NuGet dependency on [NWebsec.AspNetCore.Middleware/](https://www.nuget.org/packages/NWebsec.AspNetCore.Middleware/), you can use third extension methods on `IApplicationBuilder`.
+
+```csharp
+...
+WebApplication app = builder.Build();
+app.UseCsp(options => options
+    .ImageSources(s => s
+        .Self()
+        .CustomSources(
+            "our.umbraco.com data:",
+            "dashboard.umbraco.com"))
+    .DefaultSources(s => s
+        .Self()
+        .CustomSources(
+            "our.umbraco.com",
+            "marketplace.umbraco.com"))
+    .ScriptSources(s => s
+        .Self())
+    .StyleSources(s => s
+        .Self())
+    .FontSources(s => s
+        .Self())
+    .ConnectSources(s => s
+        .Self())
+    .FrameSources(s => s
+        .Self()));
+```
+
+### Adding a Content Security Policy (CSP) using manual middleware
+
+Avoid third-party library dependencies by using custom middleware added to the request pipeline as shown below.
+
+```csharp
+app.Use(async (context, next) =>
+{
+    context.Response.Headers.Append("Content-Security-Policy", "img-src 'self' our.umbraco.com data: dashboard.umbraco.com; default-src 'self' our.umbraco.com marketplace.umbraco.com; script-src 'self'; style-src 'unsafe-inline' 'self'; font-src 'self'; connect-src 'self'; frame-src 'self'; ");
+    await next();
+});
+```
diff --git a/14/umbraco-cms/extending/health-check/guides/crosssitescriptingprotection.md b/14/umbraco-cms/extending/health-check/guides/crosssitescriptingprotection.md
@@ -1,7 +1,7 @@
 # Health check: Cross-site scripting Protection (X-XSS-Protection header)
 
 {% hint style="warning" %}
-This header is non-standard and should not be used.
+This header is non-standard and should not be used. Instead, it is recommended to use a [Content Security Policy (CSP)](./contentsecuritypolicy.md) header.
 
 For more information about the X-XSS-Protection header, and why it should not be used, see [MDN web docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
 {% endhint %}
diff --git a/15/umbraco-cms/SUMMARY.md b/15/umbraco-cms/SUMMARY.md
@@ -42,6 +42,9 @@
 ## Extending
 
 * [Build on Umbraco functionality](extending/build-on-umbraco-functionality.md)
+* [Health Check](extending/health-check/README.md)
+  * [Health Check Guides](extending/health-check/guides/README.md)
+    * [Content Content Security Policy (CSP)](extending/health-check/guides/contentsecuritypolicy.md)
 
 ## Reference
 
diff --git a/15/umbraco-cms/extending/health-check/guides/README.md b/15/umbraco-cms/extending/health-check/guides/README.md
@@ -4,6 +4,8 @@ Below is a list of guides for Health Checks in Umbraco.
 
 ## [Click jack protection](clickjackingprotection.md)
 
+## [Content Security Policy](contentsecuritypolicy.md)
+
 ## [Content sniffing protection](contentsniffingprotection.md)
 
 ## [Cross-site scripting protection](crosssitescriptingprotection.md)
diff --git a/15/umbraco-cms/extending/health-check/guides/contentsecuritypolicy.md b/15/umbraco-cms/extending/health-check/guides/contentsecuritypolicy.md
@@ -0,0 +1,50 @@
+# Content Security Policy (CSP)
+
+_This check verifies if your site has a Content Security Policy (CSP) header to defend against Cross-Site Scripting (XSS) and data injection attacks._
+
+## How to fix this health check
+This health check can be fixed by adding a header before the response is started.
+
+Preferable you use a security library like [NWebSec](https://docs.nwebsec.com/).
+
+### Adding a Content Security Policy (CSP) using NWebSec
+
+If you take a NuGet dependency on [NWebsec.AspNetCore.Middleware/](https://www.nuget.org/packages/NWebsec.AspNetCore.Middleware/), you can use third extension methods on `IApplicationBuilder`.
+
+```csharp
+...
+WebApplication app = builder.Build();
+app.UseCsp(options => options
+    .ImageSources(s => s
+        .Self()
+        .CustomSources(
+            "our.umbraco.com data:",
+            "dashboard.umbraco.com"))
+    .DefaultSources(s => s
+        .Self()
+        .CustomSources(
+            "our.umbraco.com",
+            "marketplace.umbraco.com"))
+    .ScriptSources(s => s
+        .Self())
+    .StyleSources(s => s
+        .Self())
+    .FontSources(s => s
+        .Self())
+    .ConnectSources(s => s
+        .Self())
+    .FrameSources(s => s
+        .Self()));
+```
+
+### Adding a Content Security Policy (CSP) using manual middleware
+
+Avoid third-party library dependencies by using custom middleware added to the request pipeline as shown below.
+
+```csharp
+app.Use(async (context, next) =>
+{
+    context.Response.Headers.Append("Content-Security-Policy", "img-src 'self' our.umbraco.com data: dashboard.umbraco.com; default-src 'self' our.umbraco.com marketplace.umbraco.com; script-src 'self'; style-src 'unsafe-inline' 'self'; font-src 'self'; connect-src 'self'; frame-src 'self'; ");
+    await next();
+});
+```
diff --git a/15/umbraco-cms/extending/health-check/guides/crosssitescriptingprotection.md b/15/umbraco-cms/extending/health-check/guides/crosssitescriptingprotection.md
@@ -1,7 +1,7 @@
 # Health check: Cross-site scripting Protection (X-XSS-Protection header)
 
 {% hint style="warning" %}
-This header is non-standard and should not be used.
+This header is non-standard and should not be used. Instead, it is recommended to use a [Content Security Policy (CSP)](./contentsecuritypolicy.md) header.
 
 For more information about the X-XSS-Protection header, and why it should not be used, see [MDN web docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
 {% endhint %}
