Content security policy¶
Content security policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.
According to TYPO3-PSA-2019-010 authenticated users - but not having
administrator privileges - are allowed to upload files to their granted
file mounts (e.g.
fileadmin/ in most cases). This also includes the
possibility to upload potential malicious code in HTML or SVG files
To mitigate these potential scenarios it is advised to either
deny uploading files as described in TYPO3-PSA-2019-010 (which might be
impractical for some sites) or add content security policy headers for
these directories - basically all public available base directories of
file storages (
# placed in fileadmin/.htaccess on Apache 2.x webserver <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';" </IfModule>
CSP rules can be verified with a CSP-Evaluator