habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: add CSP to hardening (#11970)

Browse Source 
* add CSP to hardening

* re-word docs

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

* fix typo

* use the correct term "location" instead of "origin" in CSP docs

* reword docs

* add comments to permissive CSP directives

* add warning about overwriting existing CSP headers

---------

Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
Simonyi Gergő
2024-11-21 14:20:04 +01:00
committed by GitHub
parent 96964d2950
commit a9b3a4cf25
1 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
website/docs/security/security-hardening.md
View File

@ -47,3 +47,32 @@ To prevent any user from creating/editing CAPTCHA stages block API requests to t
- `/api/v3/managed/blueprints*`
With these restrictions in place, CAPTCHA stages can only be edited using [Blueprints on the file system](../customize/blueprints/index.md#storage---file).
### Content Security Policy (CSP)
:::caution
Setting up CSP incorrectly might result in the client not loading necessary third-party code.
:::
:::caution
In some cases, a CSP header will already be set by authentik (for example, in [user uploaded content](https://github.com/goauthentik/authentik/pull/12092/)). Do not overwrite an already existing header as doing so might result in vulnerabilities. Instead, add a new CSP header.
:::
Content Security Policy (CSP) is a security standard that mitigates the risk of content injection vulnerabilities. authentik doesn't currently support CSP natively, so setting it up depends on your installation. We recommend using a [reverse proxy](../install-config/reverse-proxy.md) to set a CSP header.
authentik requires at least the following allowed locations:
```
default-src 'self';
img-src 'https:' 'http:' 'data:';
object-src 'none';
style-src 'self' 'unsafe-inline'; # Required due to Lit/ShadowDOM
script-src 'self' 'unsafe-inline'; # Required for generated scripts
```
Your use case might require more allowed locations for various directives, e.g.
- when using a CAPTCHA service
- when using Sentry
- when using any custom JavaScript in a prompt stage
- when using Spotlight Sidecar for development