Content security policy

New in version 12.3

Content Security Policy declarations can be applied to a TYPO3 website in frontend and backend scope with a dedicated API. See Content Security Policy.

Content security policy (CSP_) is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.

According to TYPO3-PSA-2019-010 authenticated users - but not having administrator privileges - are allowed to upload files to their granted file mounts (e.g. fileadmin/ in most cases). This also includes the possibility to upload potential malicious code in HTML or SVG files (using JavaScript, injecting cross-site scripting vulnerabilities).

To mitigate these potential scenarios it is advised to either deny uploading files as described in TYPO3-PSA-2019-010 (which might be impractical for some sites) or add content security policy headers for these directories - basically all public available base directories of file storages (sys_file_storage).

The following example sends a corresponding CSP header for any file accessed via https://example.org/fileadmin/...:

# placed in fileadmin/.htaccess on Apache 2.x webserver
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';"
</IfModule>
Copied!

For nginx webservers, the following configuration example can be used to send a CSP header for any file accessed via https://example.org/fileadmin/...:

map $request_uri $csp_header {
    ~^/fileadmin/ "default-src 'self'; script-src 'none'; style-src 'none'; object-src 'none';";
}

server {
    # Add strict CSP header depending on mapping (fileadmin only)
    add_header Content-Security-Policy $csp_header;
    # ... other add_header declarations can follow here
}
Copied!

The nginx example configuration uses a map, since top level add_header declarations will be overwritten if add_header is used in sublevels (e.g. location) declarations.

CSP rules can be verified with a CSP-Evaluator