Content Security Policy

Hi there,

After a successful installation of my own Jitsi Meet instance I had some time to deal with the security settings.
In particular I tried to secure the nginx webserver as far as possible and recommended by the Mozilla Observatory. The only shortcoming at the moment seems to be that the Jitsi Server only runs if the CSP script-src and style-src are configured with ‘unsafe-inline’.
Is there a development plan to remedy this? (Implementing nonces, for example)

Current settings (successfully tested):

add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS protection "1; mode=block";

add_header Content Security Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; connect-src 'self'; media-src 'self'";
add_header referrer policy "strict-origin";

This, together with other settings around TLS and ciphers, leads to a good B+ rating at Mozilla Observatory. But an A+ would be desirable of course.

A corresponding post (dated Nov. 2016) can be found in the archive, but without any reaction.

3 Likes

Great! :smile:

FYI frame-ancestors should obsolete X-Frame-Options. Please see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Note to readers: setting CSP is a tough work. It requires the full knowledge about which scripts are loaded from where and how. Wrong settings easily stop your website from working (that is how CSP is expected to work). Please test carefully and make sure nothing is set wrong. I would not recommend to copy and paste a CSP snippet from a site.