Overview
This topic provides a short overview of Content Security Policies, but this is a huge area that can't be covered in detail here. We recommend reviewing the following resources to gain a more complete understanding:
A
Content Security Policy (CSP) is a standard HTTP response header (Content-Security-Policy) sent by the server to convey various security-related directives to the browser. Modern browsers enforce the rules to detect and prevent attacks. In addition, the security policy can request that browsers report all violations, which is helpful for testing and monitoring of deployments. A second header (Content-Security-Policy-Report-Only) specifies that the browser only reports potential violations for that policy. This helps with migrating to a stronger policy: the server can provide one policy to enforce and a stricter policy to report. CSP supersedes older, single-purpose headers like X-Frame-Options and X-XSS-Protection.
Commitment to Security
LabKey is committed to ensuring the security of every deployment, whether LabKey Cloud or on-premise. A strict CSP is an important tool for defending against various attacks, especially cross-site scripting (XSS) and cross-origin resource sharing (CORS) attacks. Over the years, LabKey has worked diligently to detect and eliminate XSS vulnerabilities, and a strict CSP adds an additional layer of protection against XSS. Deploying a CSP is a best practice for web server deployments. Savvy IT staff and security scanners are requiring CSPs.
LabKey has enabled the use of strict CSPs on LabKey deployments. We have updated all code in our products to eliminate inline script and ensure nonces are specified on all script tags. Our test suites run with strict CSP enforcement (tests fail if any CSP violations are detected). We have enabled a strict CSP on all cloud-based LabKey Server deployments and encourage on-premise clients to deploy with strict CSP in enforce mode as soon as possible.
Configure the CSP
All on-premise distributions for 25.3 include a recommended default strong CSP running in report-only mode. Review the contents of the
template application.properties file here.
While it is possible to provide your own custom CSP in the
application.properties file, it is not recommended.
Upgrade note: If you are running an on-premise LabKey Server and previously included either of these in your application.properties file, consider removing them and using our default.
You can easily customize our default to
allow external sources using the UI. If you require customizations not covered by these options, please
contact us so that we can help.
If an enforce CSP is configured and then found to block critical content, it can be disabled temporarily using the "
Disable enforce Content Security Policy" experimental feature. This turns off an important layer of security for the entire site, so use it as a last resort only on a temporary basis.
Customize the CSP
To protect users, a strict CSP restricts the browser's ability to load resources from external sources. In the LabKey standard CSP, only sources from LabKey Server itself are allowed. If custom code running on your server needs to allow legitimate external resources, LabKey provides two options:
- Allowed External Resource Hosts page. Administrators can register external resource hosts via this Admin Console page, which can be useful for resources required by wiki pages or file-based modules.
- Programmatic registration of allowed sources. Java developers writing LabKey modules that require external resources can call an API to register allowed sources for various directives.
Review Reports
When you have a CSP running in report mode, it will write any violations of that CSP to the <LABKEY_HOME>/logs/csp-report.log.
You'll need to work through each reported item, taking action depending on the type of directive the report is about.
External Host Examples
Allowing external hosts when necessary is
done via the Admin Console.
If you see reports where the effective-directive is "img-src" and blocked-uri contains "https://www.googletagmanager.com", you can resolve them by adding that URL as an "image-src" host. This is common when Google Analytics are enabled on your site.
If you see "img-src" reports where the blocked-uri is "blob", this means that the page includes an image specific to a user's browser. These images are not only blocked but as they will not render on other users' browsers, adding "blob" as an allowed host is not recommended. These images should be removed.
Add Nonce to HTML Script Tags
Every HTML script tag requires a nonce with a value that matches the request-specific value in the response CSP header. The server generates this random value, substitutes it into the CSP that gets sent with the response, and substitutes it into all script tags that gets sent in the response. Developers are responsible for adding an appropriate placeholder for the server to use for substitution purposes. The exact syntax varies based on the type of file.
As an example, one of the original LabKey 'Hello World' tutorials included a snippet like this, greeting the user by name in a script tag:
<p>Hello <script>
document.write(LABKEY.Security.currentUser.displayName);
</script>, Welcome to the Dashboard!</p>
To supply the required nonce for this script tag, use:
<p>Hello <script nonce="<%=scriptNonce%>">
document.write(LABKEY.Security.currentUser.displayName);
</script>, Welcome to the Dashboard!</p>
However, as
document.write() is deprecated and generally not recommended, a better way to accomplish this is:
<p>Hello <span id="username"></span>, Welcome to the Dashboard!</p>
<script type="text/javascript" nonce="<%=scriptNonce%>">
document.getElementById("username").textContent = LABKEY.Security.currentUser.displayName;
</script>
Or you could simplify to entirely avoid the script section:
<p>Hello, Welcome to the Dashboard!</p>
Premium Resource for Developers
Premium Resource AvailableSubscribers to premium editions of LabKey Server can learn more about development supporting a strict CSP and find more examples in this topic:
Learn more about premium editions
Related Topics
