Content security policy

Content security policy (CSP_) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

According to TYPO3-PSA-2019-010 authenticated users - but not having administrator privileges - are allowed to upload files to their granted file mounts (e.g. fileadmin/ in most cases). This also includes the possibility to upload potential malicious code in HTML or SVG files (using JavaScript, injecting cross-site scripting vulnerabilities).

To mitigate these potential scenarios it is advised to either deny uploading files as described in TYPO3-PSA-2019-010 (which might be impractical for some sites) or add content security policy headers for these directories - basically all public available base directories of file storages (sys_file_storage).

Please note that the CSP configuration in Content Security Policy only applies to pages served by TYPO3 (when PHP is involved, allowing the configured Middleware to be utilized).

Files that are not served by TYPO3, as is the case with files in fileadmin/, need manual server configuration if CSP is to be applied, for example to .svg files to prevent possible execution and loading of further remote resources or scripts.

The following example sends a corresponding CSP header for any file accessed via https://example.org/fileadmin/...:

# placed in fileadmin/.htaccess on Apache 2.x webserver
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</IfModule>
Copied!

For nginx webservers, the following configuration example can be used to send a CSP header for any file accessed via https://example.org/fileadmin/...:

map $request_uri $csp_header {
    ~^/fileadmin/ "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
}

server {
    # Add strict CSP header depending on mapping (fileadmin only)
    add_header Content-Security-Policy $csp_header;
    # ... other add_header declarations can follow here
}
Copied!

The nginx example configuration uses a map, since top level add_header declarations will be overwritten if add_header is used in sublevels (e.g. location) declarations.

CSP rules can be verified with a CSP-Evaluator