I am trying to add CSP headers to my pages. I know we can add it as Headers via dispatcher (which is more secure) and also using meta tags. I need to add some nonce values. So I am thinking to use meta tags. Has anyone implmented CSP with nonce values in AEM as Cloud ? Do you have any pointers on the best approach ?
Thanks
Veena
Topics
Topics help categorize Community content and increase your ability to discover relevant content.
I am not sure if this is the best way to add CSP header/rules.
But, this gave us the option to specify the content paths using 'sling.filter.pattern' (and other options that we get with Filter), if we wanted to apply the rules for requests under a specific path alone.
Rules were authored on a config page which was applicable per site. We used a component to author multiple CSP rules and multi values for the domain etc. The reason we did this was to be able to specify different CSP rules per website and site authors had the control over updating the rules.
After converting all the rules to a string, 'Content-Security-Policy' header was added to SlingHttpServletResponse object.
@Override
public final void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
//We skipped all of this on author run-mode OR if a site does not have the config-page OR config component is not authored.
String cspRules = "";
//get all csp rules and append to cspRules i.e default-src 'self'; style-src 'self' 'nonce-N2M0MDhkN2EtMmRkYi00MTExLWFhM2YtNDhkNTc4NGJhMjA3';
//add csp header to the response.
response.addHeader("Content-Security-Policy", cspRules )
chain.doFilter(request, response);
}
@Kamal_Kishor Will this affect cache ? I understand adding nonce value require each request to have a new nonce value. That means, we cannot cache the responses as each response should be new with a new random generated nonce value. How did you handle that ?
@VeenaVikraman : I misunderstood your reply the first time. We were using 'nonce-rAnd0m' in our CSP policy, so it was not an issue in terms of caching. I don't understand how it was/will protect since this is assumed to be a random/new value on every request.
-------------------------------------------------------------- Conceptually this should not affect page caching as sling Filter acts on a request if it goes to AEM instance. If a page is cached, it never comes to the instance. I no longer have access to the system where this was implemented to validate now.
If you get a chance, please try and let me know as well if you see a different behaviour. thanks.
got it. @Kamal_Kishor . For various unavoidable reasons, I have temporarily opted not to implement the nonce. At present, I have taken the approach of adding 'unsafe-inline' as a temporary measure until I can find a more suitable solution due to time constraints. We have incorporated the meta tag method to implement CSP, and another measure we've taken is to enable a page using CA config, allowing some of the header values to be editable.
One thing I wanted to highlight here. I assume , you guys might have referred https://content-security-policy.com/nonce/ , but nonce should have value which keeps chnaging for each request.
And regarding cache, as I doubted , nonce and cache cannot work together. Anyone can correct me if that is wrong. But I went through some stack overflow and that is what I could infer from all my research.
