[FOLIO-2956] Spike: Provide guidelines for use of Content Security Policy headers with FOLIO Created: 12/Jan/21 Updated: 19/Jan/23 |
|
| Status: | Blocked |
| Project: | FOLIO |
| Components: | Documentation |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P3 |
| Reporter: | Jason Skomorowski | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | documentation, security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Sprint: | |||||||||||||||||
| Story Points: | 3 | ||||||||||||||||
| Development Team: | Stripes Force | ||||||||||||||||
| Description |
|
Content Security Policy is a set of headers a server sending Javascript can use to constrain the environment it's executed in. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP While teams deploying FOLIO at various vendors and institutions are presumably making some use of this mechanism already, it's able to be quite fine grained and to make full use of it you need to understand the web application you're deploying in depth:
It's touched on in this colourful and engaging (though long) article on web application security I occasionally link to: https://medium.com/hackernoon/part-2-how-to-stop-me-harvesting-credit-card-numbers-and-passwords-from-your-site-844f739659b9 I've mentioned this a few times, even as far back as
|
| Comments |
| Comment by Craig McNally [ 16/Jun/22 ] |
|
Khalilah Gambrell the security team is wondering if stripes-force can take a look at this - and possibly create a spike as mentioned in the description. Thanks! |
| Comment by Khalilah Gambrell [ 18/Jun/22 ] |
|
Hey Craig McNally, I will have the stripes-force team review but I am unsure what the goal is - Is it to define guidelines for how to deploy CSP and any exceptions? If so, do the security team want to review and approve guidelines before presented to developers? |
| Comment by Craig McNally [ 17/Nov/22 ] |
|
Khalilah Gambrell this came up again at the security team meeting... There are several parties that should be involved here, including the stripes-force/architecture, security team, sys-ops sig, etc. It probably makes sense to start with pulling together a strawman set of guidelines/suggestions. The interested parties could then review and provide some initial feedback. If we need to iterate on this we can create follow-on stories for that, which may be assigned to stripes-force, or handled by someone else. |