Content Security Policy Config


#1

Hello

I’m am trying to balance my home server web server security and have Next Cloud function properley. CSP is causing issues in the apache.conf folder.

If I set
Header set Content-Security-Policy: “default-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ https://my-domain.com;”

Nextcloud works perfectly. However, all my security scans give me warnings due to the eval and inline security flaws. To fix this I can remove these from my CSP config and Nextcloud then stops working.

My questions are:

  1. Is there a set CSP policy I can have to use Nextcloud and not have the risk of inline/eval?
  2. Nextcloud is the only service on the server. Do I need CSP at all in my apache.conf as I dont host any other html?

Ive looked alot on google and there is much on setting CSP and Nextcloud and not together for the semi noob

Thanks


#2

Hi,

Nextcloud server and apps require the unsafe-eval entry in the CSP header for now. Devs are already aware of that and trying to remove it:

Because it is not easy to do and requires a lot changes in the code, it takes some time. However it is in the Backlog of the “Security Hardenings” (first column on the left side):

This CSP header entry should not be a serious issue though since @LukasReschke made some changes:

This seems rather hard to accomplish due to our existing JS code base. As a first step I’ve added a hardening to jQuery that makes the unsafe-eval in jQuery a non-issue at least: #3874

(Source: https://github.com/nextcloud/server/issues/1185#issuecomment-289396788)

As soon as the code base has been adapted the CSP header will be removed by Nextcloud with a feature update. So there is nothing to do for you. Just wait until it’s “enhanced” (not to say fixed) :slight_smile:

But I’m with you; I’m also hoping it is done soon :slight_smile:


#3

FYI this is done for Nextcloud 15. It’ll require some changes in apps, of course…