Add an example of a "strict" security policy to the configuration docs

[meggles711]

Hey Y’all, I’m an intern at Google and am working on adding or improving web security features for open source frameworks.

I think the current default CSP configuration could be made more friendly to first time CSP users. Many developers will install security tools without configuring them. It would be nice to provide a default configuration that would be appropriate for most applications. The configuration recommended here, under CSP Policy Example, should work for most applications and is a good starting point for others.

I would also be interested in updating the documentation to explain the new default configuration and adding links to external resources to help developers new to CSP understand how to best implement it.

Please let me know your thoughts and recommendations on approaching this change.

[g-k]

Hi @meggles711, can you be more specific about what you'd change? We've generally left it to the app to configure their CSP policy.

[meggles711]

Hi @g-k!

I'd like to change the default to a strict policy appropriate for most applications. This would involve two changes to the current configuration.

• Set default-src to 'none'

• Set script-src to 'nonce-{random}' 'strict dynamic' https: http:

This would still allow and require the app to configure the CSP policy for their needs but provides a strict baseline to build from. It also provides alternatives for older browsers.

[adamchainz]

I think it would be better to use documentation for this. The guide could cover setting up a CSP with either a basic strict default (suitable for new projects), or using tools like report-uri.com or Mozilla Laboratory to build a CSP with report-only mode for a while to check it's working okay.

[DylanYoung]

That doesn't seem like a very safe policy to start with for a number of reasons: not least the refactoring required to support noncing all scripts on modern browsers, but also there's no control of style sheets. What about adding preconfigured policies that a user could import into their settings instead?

[some1ataplace]

Here are some examples of preconfigured CSP settings that you can use in your Django settings:

1. Least strict: Allows all content to be loaded from any source. This is not recommended for production use.

CSP_DEFAULT_SRC = ["'self'", "'unsafe-inline'", "'unsafe-eval'", "*"]

CSP_DEFAULT_SRC = ("*",)
CSP_FONT_SRC = ("*",)
CSP_IMG_SRC = ("*",)
CSP_OBJECT_SRC = ("*",)
CSP_SCRIPT_SRC = ("*",)
CSP_STYLE_SRC = ("*",)
CSP_FORM_ACTION = ("*",)

2. Moderate: Allows content to be loaded from same-origin sources and from trusted third-party sources.

CSP_DEFAULT_SRC = ["'self'", "trusted.example.com"]
CSP_SCRIPT_SRC = ["'self'", "trusted.example.com", "ajax.googleapis.com"]
CSP_STYLE_SRC = ["'self'", "trusted.example.com", "maxcdn.bootstrapcdn.com"]
CSP_IMG_SRC = ["'self'", "trusted.example.com", "data:"]
CSP_CONNECT_SRC = ["'self'", "trusted.example.com", "api.example.com"]
CSP_FONT_SRC = ["'self'", "trusted.example.com", "maxcdn.bootstrapcdn.com"]

3. Most strict: Allows content to be loaded only from same-origin sources, with no inline scripts or styles.

CSP_DEFAULT_SRC = ["'self'"]
CSP_SCRIPT_SRC = ["'self'"]
CSP_STYLE_SRC = ["'none'"]
CSP_IMG_SRC = ["'self'"]
CSP_CONNECT_SRC = ["'self'"]
CSP_FONT_SRC = ["'self'"]

[robhudson]

Currently the defaults are configured so that, with very minimal set up, you get a policy of default-src: 'self', which many of the other *-src directives use. So not too far from your most strict example above.

I would prefer some documentation or links to trusted sources that discuss how to compose a strict CSP policy, since all websites are unique in what they can or cannot accomplish. I would welcome at least a good base configuration for the configuration docs.