You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sometimes you cannot use the Content-Security-Policy header if you are, e.g., Deploying your HTML files in a CDN where the headers are out of your control.
In this case, you can still use CSP by specifying a http-equiv meta tag in the HTML markup ...
How exactly do CDNs affect CSP response headers? Because this is a security-specific header, I would be extremely surprised it any CDN would deliberately alter CSP headers by default. I think doing so could potentially make the companies liable for allowing XSS vulnerabilities that otherwise would have been blocked. Hence, it seems doubtful to that that they would do this by default. They almost certainly change some other response headers, such as Cache-Control, Pragma, Expires, etc.,
but Content-Security-Policy? That sounds like an urban myth to me. And while CSP may add CSP headers, I think CDNs would avoid even that (unless it's only for reporting), as otherwise they could break something. But changing or deleting the header as the CDN's default behavior? That seems far-fetched to me and I'm not buying it without some evidence.
A Boolean that determines whether CloudFront overrides the Content-Security-Policy HTTP response header received from the origin with the one specified in this response headers policy.
Thus, for AWS CloudFront at least, it seems as though the default is "hands-off" unless its explicitly told to override the value. Granted, that's only a single data point, but that seems like it would be the intuitive behavior to me.
So, can someone perhaps provide some clarification to this? If there are CDNs that muck with CSP headers by default, so anyone have any evidence? That's all I'm looking for is a bit of clarification.
The text was updated successfully, but these errors were encountered:
Your skepticism is fair: CDNs don’t alter CSP headers by default. The use of a tag for CSP is generally recommended in environments where header control is limited, not because CDNs are altering or stripping CSP headers. If there are specific cases where CDNs modify CSP headers by default, they would be outliers, and evidence of such behavior would likely be documented due to the potential security implications.
This is a question that I'm asking for clarification. Depending on the answer, I may turn it into an Update request.
In https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#3-content-security-policy-meta-tag, it states:
How exactly do CDNs affect CSP response headers? Because this is a security-specific header, I would be extremely surprised it any CDN would deliberately alter CSP headers by default. I think doing so could potentially make the companies liable for allowing XSS vulnerabilities that otherwise would have been blocked. Hence, it seems doubtful to that that they would do this by default. They almost certainly change some other response headers, such as Cache-Control, Pragma, Expires, etc.,
but Content-Security-Policy? That sounds like an urban myth to me. And while CSP may add CSP headers, I think CDNs would avoid even that (unless it's only for reporting), as otherwise they could break something. But changing or deleting the header as the CDN's default behavior? That seems far-fetched to me and I'm not buying it without some evidence.
My only comparison point is for AWS CloudFront, where someone pointed me to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-responseheaderspolicy-contentsecuritypolicy.html. If you look at it, you will see a required JSON key named "Override" that is a boolean value, for which the documentation states is:
Thus, for AWS CloudFront at least, it seems as though the default is "hands-off" unless its explicitly told to override the value. Granted, that's only a single data point, but that seems like it would be the intuitive behavior to me.
So, can someone perhaps provide some clarification to this? If there are CDNs that muck with CSP headers by default, so anyone have any evidence? That's all I'm looking for is a bit of clarification.
The text was updated successfully, but these errors were encountered: