Content-Security-Policy header for web requests

[jamesmacwhite]

Like the permissionsPolicyHeader config option. It would be nice if there was a Content Security Policy header, equivalent where you can set various policies through Craft. Currently you either have to set this through server configuration which usually applies to the whole application, including Craft CMS itself, meaning you will also have to allow any Craft CMS related domains in this policy, or add the header yourself on front end web requests through a module/plugin.

[timkelty]

@jamesmacwhite another option is to try https://github.com/hyperia-sk/yii2-secure-headers, a Yii2 component that allows you to set many specific types of security headers.

[timkelty]

@jamesmacwhite It appears so, I don't see anything in that component to filter the request.

You could define it a callable so that you could conditionally add it, eg:

<?php

return [
    'components' => [
        'request' => function() {
    
        }
    ]
]

Not the cleanest solution though…we're still discussing a better way to handle this and other headers internally.

[jamesmacwhite]

Yeah. You could argue it's the server level responsibility to set headers but particularly for Content-Security-Policy and Permissions-Policy but having these being applied across an entire Craft CMS application can be risky for Craft CMS itself. The Permissions-Policy has just recently been updated to be only set on web requests, but nothing for CSP currently. The options so far are:

1. Set via Apache, Nginx, Caddy, IIS etc
2. Set via a module which sets the header on web requests only.
3. Roll your own config in app.web.php as above.

[jamesmacwhite]

I'm leaning more on the ability to set them at the web app level, because in my case DDEV uses NGINX whereas our production app uses Apache, so the .htaccess defined doesn't apply until production so testing Content Security Policy basically doesn't happen in dev, which is a bit of a potential issue.

I may go with app.web.php with the ability to only load on site requests for now.

I don't know if this would be a safe way, given calling Craft::$app

'request' => static function() {
    $config = craft\helpers\App::webRequestConfig();
    $request = Craft::createObject($config);

    if ($request->isSiteRequest) {
        Craft::$app->getResponse()->getHeaders()->add('X-Header', 'test');
    }

    return $request;
},

[timkelty]

@jamesmacwhite good news! We settled on a native way to deal with these kind of headers. See #15397 for details (will be included in upcoming 4.11/5.3 release)

[jamesmacwhite]

@timkelty Great work! I look forward to testing out the new headers method in 5.3!