DC 5.6 Configuring Content-Security-Policy

This section describes how secure a Digizuite installation using Content-Security-Policy

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.

CSP is designed to be fully backward compatible; Browsers that don't support it still work with servers that implement it, and vice-versa: browsers that don't support CSP ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy.

To enable CSP, you need to configure your web server to return the Content-Security-Policy HTTP header.

Digizuite DAM Center

Dam Center uses the httpProtocol CustomHeaders to inject the CSP configuration.

Content-Security-Policy is configured in the web.config of DamCenter

/configuration/system.webServer/httpProtocol/customHeaders

While CSP is being configured use Content-Security-Policy-Report-Only header, when the policy should be enforced change the name to Content-Security-Policy.

DamCenter 5.5.0 and later has an endpoint named “/dmm3bwsv3/csp-reports” where Browsers can report violations back to the DC - this information is stored in the database table “dbo.cspviolation_report”.

The AppSetting StoreCspReportsInDb controls if CSP reports are stored in the database (true/false)

 

Older DC Versions does not have this endpoint - instead the Developer Console in Google Chrome can be used to find policies needed.

Example CSP Policy for DC 5.5.0

<add name="Content-Security-Policy-Report-Only" value=" report-to /dmm3bwsv3/csp-reports; report-uri /dmm3bwsv3/csp-reports; base-uri 'self'; default-src 'self'; style-src-attr 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; img-src data: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; " />

Example CSP Policy for DC before 5.5.0

<add name="Content-Security-Policy-Report-Only" value=" base-uri 'self'; default-src 'self'; style-src-attr 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; img-src data: 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; " />

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy for further info.

 

Tip: 'report-sample' will instruct the browser to provide more info.