content_security_policy.adoc 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354
  1. [#content-security-policy]
  2. = Content Security Policy (CSP)
  3. When xref:reference/network-ports.adoc[the single HTTP frontend] is enabled (the default), OliveTin adds several browser security headers to every response, including `Content-Security-Policy`. This page explains how to turn that header off or replace it with a less strict policy when you need to (for example, custom scripts, different API hosts, or embedding in an iframe).
  4. [WARNING]
  5. Relaxing or removing CSP weakens protection against cross-site scripting and related attacks. Prefer the smallest change that fixes your issue, and keep the rest of the policy as tight as you can.
  6. == Default behavior
  7. With default settings, OliveTin sends a `Content-Security-Policy` header similar to the following (single line in the actual response):
  8. [source,text]
  9. ----
  10. default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'
  11. ----
  12. If `security.headerContentSecurityPolicy` is `true` but `security.contentSecurityPolicy` is left empty, OliveTin fills in this default on startup.
  13. == Disable the CSP header entirely
  14. Set `security.headerContentSecurityPolicy` to `false`. OliveTin will not send `Content-Security-Policy` on responses from the single HTTP frontend.
  15. include::partial$config-start.adoc[]
  16. ----
  17. security:
  18. headerContentSecurityPolicy: false
  19. ----
  20. == Use a custom (relaxed) policy
  21. Keep `security.headerContentSecurityPolicy` `true` and set `security.contentSecurityPolicy` to the full header value you want. For example, to allow WebSocket connections to the same host when you serve the UI over plain HTTP in a lab (not recommended for production), you might widen `connect-src`:
  22. include::partial$config-start.adoc[]
  23. ----
  24. security:
  25. headerContentSecurityPolicy: true
  26. contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' http: https: ws: wss:; frame-ancestors 'none'; base-uri 'self'"
  27. ----
  28. Build your policy from the https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP[MDN documentation on CSP] and test in the browser developer tools (Console will report CSP violations).
  29. Typical reasons people adjust this setting:
  30. * **Custom JavaScript or third-party scripts** — You may need to extend `script-src` (and sometimes `connect-src` for XHR/fetch). See xref:advanced_configuration/webui.adoc#custom-js[Custom JavaScript].
  31. * **Embedding OliveTin in another site** — The default includes `frame-ancestors 'none'`, which blocks iframes. You must change that directive (and may need to relax `X-Frame-Options` using `security.headerXFrameOptions` and `security.xFrameOptions`) if embedding is required.
  32. * **API or auth on another origin** — Extend `connect-src` (and possibly `form-action` or others) to include those URLs.
  33. * **Reverse proxy also sets CSP** — Your proxy might add a second policy; browsers combine them. Align OliveTin and the proxy so you do not get conflicting or unexpectedly strict effective policies.
  34. == Related settings
  35. Other keys under `security` in `config.yaml` control additional headers (for example `headerXContentTypeOptions`, `headerXFrameOptions`, and `xFrameOptions`). This page focuses on CSP; see the OliveTin `SecurityConfig` in the application source if you need the full list of fields.
  36. Configuration reload: if you use OliveTin's live config reload, changes to `security` are picked up without restarting the process in typical setups.