FEATURE: Content-Security-Policy-Header

[t-heuser]

Is there an existing issue for this topic?

• I have searched the existing issues

Description

I'd love to see the Content-Security-Policy-Header (CSP) to be implemented in the Neos core for backend and frontend.

It would make Neos projects more secure per default, it could mitigate XSS-attacks for example.

Possible Solution

There is already an existing package for Neos which adds CSP, but it's very old and not working anymore. But I guess it will be very useful for some inspiration.

I tried to repair the package by myself but they were issues with nonces and cache, like others described in this slack thread.

[bwaidelich]

Just one note (as mentioned before):
Whatever the implementation is, it should not be based on Fusion in my opinion because that bakes the CSP rules into the content cache (which in turn means that caches have to be flushed whenever they change – unless we manage to put them into some dedicated cache segment)

[t-heuser]

We just created a package which addresses this issue: https://github.com/Flowpack/Flowpack.ContentSecurityPolicy
We talked about whether it should be included in the core but this would be hard to implement as we would potentially break a lot of websites as every website has unique requirements for its CSP.
So we created a package, which will be available via composer very soon :)

[t-heuser]

The package is available now :)
https://packagist.org/packages/flowpack/content-security-policy