From a9b3a4cf25e64383d68257aab5e5eb56ffd9190a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simonyi=20Gerg=C5=91?= <28359278+gergosimonyi@users.noreply.github.com> Date: Thu, 21 Nov 2024 14:20:04 +0100 Subject: [PATCH] website/docs: add CSP to hardening (#11970) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add CSP to hardening * re-word docs Co-authored-by: Tana M Berry Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> * fix typo * use the correct term "location" instead of "origin" in CSP docs * reword docs * add comments to permissive CSP directives * add warning about overwriting existing CSP headers --------- Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Tana M Berry --- website/docs/security/security-hardening.md | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/website/docs/security/security-hardening.md b/website/docs/security/security-hardening.md index a705e4ca2d..6279c4f563 100644 --- a/website/docs/security/security-hardening.md +++ b/website/docs/security/security-hardening.md @@ -47,3 +47,32 @@ To prevent any user from creating/editing CAPTCHA stages block API requests to t - `/api/v3/managed/blueprints*` With these restrictions in place, CAPTCHA stages can only be edited using [Blueprints on the file system](../customize/blueprints/index.md#storage---file). + +### Content Security Policy (CSP) + +:::caution +Setting up CSP incorrectly might result in the client not loading necessary third-party code. +::: + +:::caution +In some cases, a CSP header will already be set by authentik (for example, in [user uploaded content](https://github.com/goauthentik/authentik/pull/12092/)). Do not overwrite an already existing header as doing so might result in vulnerabilities. Instead, add a new CSP header. +::: + +Content Security Policy (CSP) is a security standard that mitigates the risk of content injection vulnerabilities. authentik doesn't currently support CSP natively, so setting it up depends on your installation. We recommend using a [reverse proxy](../install-config/reverse-proxy.md) to set a CSP header. + +authentik requires at least the following allowed locations: + +``` +default-src 'self'; +img-src 'https:' 'http:' 'data:'; +object-src 'none'; +style-src 'self' 'unsafe-inline'; # Required due to Lit/ShadowDOM +script-src 'self' 'unsafe-inline'; # Required for generated scripts +``` + +Your use case might require more allowed locations for various directives, e.g. + +- when using a CAPTCHA service +- when using Sentry +- when using any custom JavaScript in a prompt stage +- when using Spotlight Sidecar for development