Meshcentral: Security Enhancement : Content Security Policy

Created on 2 Sep 2019  ·  10Comments  ·  Source: Ylianst/MeshCentral

I use MC over internet. That's why security is very important for me.

When i add this strict content security policies (add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';";) to my nginx, MC doesn't work as expected.
Screenshot_20190902_114947

I must add multiple 'unsafe-inline' in the directive but it is less secure

Is it possible to change MC for integrate strict content security policy ?

Thx

Fixed - Confirm & Close bug
Source
picture Floche87

All 10 comments

This is interesting. Yes, I will take a look at this.

Ylianst picture Ylianst on 12 Sep 2019

This is the minimal header that works for me:

"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"

Indeed, I need unsafe-inline for script and style because I use inline styles and scripts. I an adding this line to the "sample-config.json" for future reference. I will experiment with removing inline styles, but it would take a lot of work to remove inline scripts.

Ylianst picture Ylianst on 12 Sep 2019

This is such a good idea, that I just published MeshCentral v0.4.0-n with the following HTTP headers enabled by default:

"X-Frame-Options": "sameorigin",
"Referrer-Policy": "no-referrer",
"X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff",
"Content-Security-Policy": "default-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-src 'self'; media-src 'self'"

This should lock down security quite a bit. Feedback welcome.

Ylianst picture Ylianst on 13 Sep 2019

Just published MeshCentral v0.4.0-o with binding for session cookie to the external IP address of the browser. I want to see how this goes, but this makes login cookies really strict. I may add an option to disable this if required.

Ylianst picture Ylianst on 13 Sep 2019

I use same http headers in my configuration of nginx and all works good.
For session cookies, i don't have noticed issues for the moment.
a great thank for you

Floche87 picture Floche87 on 16 Sep 2019

Just an heads-up:

I tried to use mesh on my older linux laptop at home yesterday and got the "because it violates the following Content Security Policy directive: “connect-src 'self'”" error.
This is because the old browser does not allow the https to ws protocol switch.

more info: https://github.com/Fyrd/caniuse/issues/5052

Allowee picture Allowee on 25 Sep 2019
👍1

Oh! Thanks for the head-up... that is... ugly. Working on it now.

Ylianst picture Ylianst on 25 Sep 2019

MeshCentral v0.4.1-g is now live with a fix for the "heads up". Let me know if it works.

Ylianst picture Ylianst on 25 Sep 2019

I am going to close this issue since the new HTTP headers seems to work as expected. Please re-open or file a new issue if needed.

Ylianst picture Ylianst on 27 Sep 2019

Checked this morning, this is fixed.
Thank you

Allowee picture Allowee on 27 Sep 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nroach44 picture nroach44  ·  3Comments
guerby picture guerby  ·  3Comments
penguinthingie picture penguinthingie  ·  4Comments
LPJon picture LPJon  ·  3Comments
vish84 picture vish84  ·  3Comments