A Content Security Policy (CSP) is a security feature for websites that acts like a set of rules or guidelines for your browser, telling it what content is safe to load and execute. Think of it as a security guard for the browser, ensuring only trusted scripts, styles, images, and other resources are allowed to run on a webpage. The headers our team implements in Titan CMS are a balance between a restrictive but secure browsing experience and necessary functionality.
Secure Headers
Secure headers instruct browsers on how to behave and prevent them from executing vulnerabilities that could endanger users. Here is an overview of the secure headers used in Titan CMS.
Content-Security-Policy (Content-Security-Policy-Report-Only)
Purpose: CSP is a low-priority setting, is not required, and is not a Titan CMS issue. CSP is most typically implemented in situations where IT does not implicitly trust content managers not to use scripts from unscrupulous sources or to link to questionable sites for resources like images. It can also be used to help prevent links to malware, which may be inserted by threat actors who are using compromised Titan CMS accounts.
Restrictive CSPs, such as prohibiting unsafe-inline, will not work with any Titan CMS instance.
Value: default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'
References:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
unsafe-inline
The unsafe-inline directive allows the website to use inline resources, including the inline the <script> and <style> elements as well as the "style" attribute on an element. Titan CMS requires that it be allowed to execute inline scripts as part of its normal functioning. There are numerous cases in which managed code dynamically creates small sets of scripts and injects them into a page during the rendering process.
unsafe-eval
Many online sources assert that unsafe-eval must be avoided. In the real world, allowing unsafe-eval, when combined with other security measures, does not pose a significant risk. Titan CMS currently requires that the eval() function be allowed. So does GTM/Google Analytics.
Third-Party Script Sources
Titan CMS, like any content management system, allows scripts to be pulled from remote Content Distribution Networks (CDNs). Examples include Google Tag Manager, jQuery, Fancybox, CookiePro, and CookieYes. If a client does not wish to trust these CDNs, then we can pull the required java scripts directly into Titan CMS and serve them locally.
Trusted Web Content Authors
We recommend that all content authors for a website receive sufficient training on internal client security policies so that they can avoid opening attack windows for the website they are managing. For example, a content author should never import or reference scripts from a source that has not been thoroughly vetted.
Hashes and Nonces
Creating cryptographic hashes or nonces as a way to tell the CSP that a dynamic, inline script is safe does not appear to be workable in Titan. Hashes are based on the entire content of the script and are designed primarily for static scripts, not dynamic scripts. Nonces are random base64-encoded strings of at least 128 bits of data (not dependent on the script content). But since a dynamic script's Nonce changes with each page load, there is no good way to inject the nonce value into the static CSP header generated in the web.config file.
References
https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/nonce
X-Content-Type-Options Header
Purpose: The 'X-Content-Type-Options' HTTP header is a security feature designed to protect websites from certain types of attacks, particularly those related to how browsers interpret the type of files (known as MIME types) that are downloaded or displayed.
Here’s a simple explanation:
- Prevents MIME Type Sniffing: Browsers sometimes try to guess the type of a file based on its content, rather than trusting the type specified by the server. This can lead to security issues, such as executing malicious scripts unintentionally.
- Ensures Correct File Handling: By setting 'X-Content-Type-Options: nosniff', the browser is instructed to strictly follow the MIME type specified by the server, without trying to guess or change it.
- Reduces Security Risks: This helps prevent attacks like cross-site scripting (XSS) and drive-by downloads, where malicious files might be disguised as harmless ones.
- Consistent Behavior: It ensures that files are handled consistently across different browsers, reducing the risk of security issues due to inconsistent handling.
In essence, this header tells the browser to trust the server's declaration of a file's type and not to try to interpret it differently, which enhances the overall security of the website.
Value: nosniff
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Strict-Transport-Security Header
Purpose: The Strict-Transport-Security (HSTS) header is a security feature that ensures web browsers only access a website using secure HTTPS connections, rather than the insecure HTTP protocol.
Value: max-age=31536000; includeSubDomains
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
X-Frame-Options Header
This header is obsolete and is superseded by the frame-ancestors Content Security Policy.
Permissions-Policy Header
Purpose: The primary goal of the Permissions-Policy header is to enhance user privacy and security by giving web developers fine-grained control over which browser features can be used on their website. This includes controlling access to powerful features such as the camera, microphone, geolocation, and more.
Value: geolocation=(self), camera=(self)
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
Cross-Origin-Resource-Policy Header
Purpose: The Cross-Origin-Resource-Policy (CORP) header is a security feature in HTTP that allows a server to control which websites can access its resources, helping to mitigate cross-origin data leaks and protect against various types of attacks.
Value: same-site
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy
Removing Identity Headers
To make it marginally more difficult for threat actors to know the type of web server being used for the site, we remove the ASP.NET version header and the Server HTTP header.
If you have questions about secure headers and how they're handled in Titan CMS, please don't hesitate to contact us.
Related Blog Posts
Titan CMS prioritizes secure authentication, data encryption, and compliance with evolving data privacy laws.
Single Sign On (SSO) allows you to seamlessly jump among applications without logging into each separately. There are several important benefits for your business.
Titan CMS is a powerful content management solution that helps manufacturers meet unique industry challenges, offering advanced data management, seamless integrations, and exceptional support – all at an affordable price.