praaveen
Published in

praaveen

Part 2: Rails5.2 CSP (Content Security Policy)

Sample rails repo here and PPT here

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.

With a few exceptions, policies mostly involve specifying server origins and script endpoints.
This helps guard against cross-site scripting attacks (XSS).

Content Security Policy overview (image took it from other source)

Syntax:
Content-Security-Policy: <policy-directive>; <policy-directive>

Reference :

Directives (listing only few )
Fetch directives
Fetch directives control locations from which certain resource types may be loaded.

connect-src
Restricts the URLs which can be loaded using script interfaces
img-src
Specifies valid sources of images and favicons.

Document directives
Document directives govern the properties of a document or worker environment to which a policy applies.
base-uri
Restricts the URLs which can be used in a document’s <base> element.
plugin-types
Restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.

Navigation directives
Navigation directives govern to which location a user can navigate to or submit a form to, for example.
a.form-action
Restricts the URLs which can be used as the target of a form submissions from a given context.

Reporting directives
Reporting directives control the reporting process of CSP violations.

a.report-uri
Instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Old Solution( Secure header gem) (Image from different source)

CSP with rails5.2

config/initializers/content_security_policy.rb

Rails.application.config.content_security_policy do  |p|
p.default_src :self, :https
p.font_src :self, :https
# p.img_src :self , :https
p.object_src :none
p.script_src :self, :https
p.style_src :self, :https, :unsafe_inline
p.img_src :self, 'power.itp.ac.cn', :https
# p.img_src 'power.itp.ac.cn'
# p.img_src :none
# p.img_src :self
# Specify URI for violation reports
p.report_uri "/violation_report"
end

For image setup

Note:

a. Google image from local assert

b. Baby with puppy if from external source (power.itp.ac.cn)

Example one

Rails.application.config.content_security_policy do |p|
....
p.img_src 'power.itp.ac.cn'
.....
end

Example two

Rails.application.config.content_security_policy do |p|
....
p.img_src :self
.....
end

Example three

Rails.application.config.content_security_policy do |p|
....
p.img_src :none
.....
end

Example four

Rails.application.config.content_security_policy do |p|
....
p.img_src :self, 'power.itp.ac.cn', :http
.....
end

similar can config for js and css files.

controller configuration

# Override policy inline
class PostsController < ApplicationController
content_security_policy do |p|
p.upgrade_insecure_requests true
end
end
# Using literal values
class PostsController < ApplicationController
content_security_policy do |p|
p.base_uri “https://www.example.com"
end
end

The CSP recommendation defines a way for browsers to report policies to a specific endpoint, but this endpoint needs to be configured in the build process so that the team gets notified of any violations that occur and process it.

p.report_uri  "/violation_report"

Violation Report

Started POST "/violation_report" for 127.0.0.1 at 2018-06-21 08:51:12 +0530
Processing by UsersController#violation_report as */*
"{\"csp-report\":{\"document-uri\":\"http://localhost:3000/users\",\"referrer\":\"\",\"violated-directive\":\"img-src\",\"effective-directive\":\"img-src\",\"original-policy\":\"default-src 'self' https:; font-src 'self' https: data:; object-src 'none'; script-src 'self' https:; style-src 'self' https: 'unsafe-inline'; img-src power.itp.ac.cn; report-uri /violation_report\",\"disposition\":\"enforce\",\"blocked-uri\":\"http://localhost:3000/favicon.ico\",\"status-code\":200,\"script-sample\":\"\"}}"

With the help of this callback we able to tract the violation happens at the client side.

About Part 1 : Rails5.2 Credentials(encrypted credentials)

Reference:

Sample rails repo here and PPT here

Technical blog

Recommended from Medium

How to have “Zero-downtime” of your services — Deployment using Kubernetes

Can I Use Speech Generated By Text-To-Speech In Twitch?

Startups of March

Practical QA Team relationships

How To Get Flight Data Of Regional Express Using An API

A course that changed my learning Curve!

Configuring GCE Ingress Controller to accept only SSL1.2 connection and up using Terraform

Raspberry Pi Wi-Fi Bulb

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Praaveen Vr

Praaveen Vr

Ruby on Rails Freelancer

More from Medium

Using Azure AD B2C to Authenticate iOS App Users

The image shows the log in form from Azure Active Directory B2C presented in a modal view on an iPad.

Dependency Injection for iOS Applications — Init based DI

Challenge — We Need To Lint Protos Easily

Preventing Memory Leaks Using XCTests