This guide explains how to use Content Security Policy (CSP) to mitigate Cross-Site Scripting (XSS) attacks in Discourse. It covers CSP basics, configuration, and best practices.
Required user level: Administrator
Summary
Content Security Policy (CSP) is a crucial security feature in Discourse that helps protect against Cross-Site Scripting (XSS) and other injection attacks. This guide covers the basics of CSP, how it’s implemented in Discourse, and how to configure it for your site.
What is Content Security Policy?
Content Security Policy is an added layer of security that helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. CSP works by specifying which content sources are considered trusted, and instructing the browser to only execute or render resources from those trusted sources.
XSS remains one of the most common web vulnerabilities. By implementing CSP, Discourse allows scripts only from trusted sources to load and execute, significantly reducing the risk of XSS attacks.
Discourse’s CSP implementation
As of Discourse version 3.3.0.beta1, Discourse implements a ‘strict-dynamic’ CSP. This approach uses a single nonce- value and the strict-dynamic keyword in the script-src directive. All initial <script> tags in core and themes are automatically given the appropriate nonce= attribute.
The default policy includes the following directives:
-
script-src: Specifies valid sources for JavaScripts -
worker-src: Specifies valid sources for ServiceWorker scripts -
object-src: Blocks the execution of plugins (Flash, Java, etc.) -
base-uri: Restricts the URLs for<base>elements -
frame-ancestors: Controls which sites can embed your Discourse instance in an iframe (added in later versions)
Configuring CSP in Discourse
Available settings
-
content_security_policy: Enables or disables CSP (default: on) -
content_security_policy_report_only: Enables CSP Report-Only mode (default: off) -
content_security_policy_script_src: Allows you to extend the defaultscript-srcdirective -
content_security_policy_frame_ancestors: Enables theframe_ancestorsdirective (default: on)
How to enable CSP
- Navigate to your Admin panel
- Go to Security settings
- Find the
content_security_policysetting and ensure it’s enabled
It’s recommended to start with CSP Report-Only mode to identify any potential issues before fully enabling CSP:
- Enable the
content_security_policy_report_onlysetting - Monitor your browser console and server logs for CSP violations
- Address any legitimate violations by extending the CSP as needed
- Once you’re confident there are no false positives, disable Report-Only mode and fully enable CSP
Extending the default CSP
If you need to allow additional script sources, you can extend the script-src directive using the content_security_policy_script_src setting. You can add:
- Hash-sources
'wasm-unsafe-eval'-
'unsafe-eval'(use with caution)
For example:
'sha256-QFlnYO2Ll+rgFRKkUmtyRublBc7KFNsbzF7BzoCqjgA=' 'unsafe-eval'
Be cautious when adding 'unsafe-eval' or other permissive directives, as they can reduce the effectiveness of CSP.
CSP and third-party integrations
When using third-party services like Google Tag Manager, Google Analytics, or advertising services, you may need to adjust your CSP settings. In most cases with Discourse version 3.3.0.beta1 or later, external scripts should work without additional configuration due to the ‘strict-dynamic’ CSP implementation.
If you encounter issues, you may need to:
- Identify the required script sources by monitoring your browser console
- Add the necessary sources to the
content_security_policy_script_srcsetting - For complex integrations like ad services which load external resources, you might need to enable cross-domain rendering (Example PR from discourse-adplugin that does this).
Best practices
- Start with CSP Report-Only mode to identify potential issues
- Gradually tighten your CSP as you resolve legitimate violations
- Regularly review your CSP settings and adjust as needed
- Be cautious when adding permissive directives like
'unsafe-eval'or'wasm-unsafe-eval' - Keep your Discourse instance updated to benefit from the latest CSP improvements
FAQs
Q: I’m seeing many CSP violation reports. Should I be concerned?
A: Many CSP violations are false positives, often caused by browser extensions or other unrelated scripts. Focus on addressing violations related to your site’s functionality.
Q: Can I use CSP with Google AdSense or other ad networks?
A: Yes, but you may need to use more permissive CSP settings. Start with Report-Only mode and adjust your settings based on the reported violations.
Q: How do I troubleshoot CSP issues?
A: Use your browser’s developer tools to monitor the console for CSP violation messages. These will help you identify which resources are being blocked and why.
Additional resources
- Content Security Policy (CSP) - HTTP | MDN
- Polityka bezpieczeństwa treści | Articles | web.dev
- Content Security Policy Level 3
- Strict CSP - Content Security Policy
- https://csp-evaluator.withgoogle.com/
Last edited by @kelv 2024-10-04T06:30:07Z
Check document
Perform check on document: