You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Document Security configuration page, CSP options and CspHook
Adds a Security Configuration section to 03-Configuration.md covering
all new config.ini keys (use_custom_csp, custom_csp, csp_enable_modules,
csp_enable_dashboards, csp_enable_navigation). Expands the CSP section
in 20-Advanced-Topics.md to explain per-source controls, the CspHook
extension point and the custom CSP override, including the {style_nonce}
placeholder. Adds a CspHook reference entry with an example
implementation to 60-Hooks.md.
| use\_strict\_csp |**Optional.** Set this to `1` to enable strict [Content Security Policy](20-Advanced-Topics.md#advanced-topics-csp). Defaults to `0`. |
| use\_strict\_csp |**Optional.** Set this to `1` to enable strict [Content Security Policy](20-Advanced-Topics.md#advanced-topics-csp). Defaults to `0`. |
89
+
| use\_custom\_csp |**Optional.** Set this to `1` to enable the use of the user defined Content Security Policy. Defaults to `0`. |
90
+
| custom\_csp |**Optional.** Specifies the user defined Content Security Policy. Overrides the automatically generated one. Only used if `use_custom_csp` is set to `1`. |
91
+
| csp\_enable\_modules |**Optional.** Specifies if modules should be included in the generated Content Security Policy. Defaults to `1`. |
92
+
| csp\_enable\_dashboards |**Optional.** Specifies if dashboards should be included in the generated Content Security Policy. Defaults to `1`. |
93
+
| csp\_enable\_navigation |**Optional.** Specifies if navigation menu items should be included in the generated Content Security Policy. Defaults to `1`. |
Copy file name to clipboardExpand all lines: doc/20-Advanced-Topics.md
+32-10Lines changed: 32 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -117,24 +117,35 @@ systemctl reload httpd
117
117
118
118
Elevate your security standards to an even higher level by enabling the [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) for Icinga Web.
119
119
Enabling strict CSP can prevent your Icinga Web environment from becoming a potential target of [Cross-Site Scripting (XSS)](https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting)
120
-
and data injection attacks. After enabling this feature Icinga Web defines all the required CSP headers. Subsequently,
120
+
and data injection attacks. After enabling this feature, Icinga Web defines all the required CSP headers. Subsequently,
121
121
only content coming from Icinga Web's own origin is accepted, inline JS is prohibited, and inline CSS is accepted only
122
122
if it contains the nonce set in the response header.
123
123
124
124
We decided against enabling this by default as we cannot guarantee that all the modules out there will function correctly.
125
125
Therefore, you have to manually enable this policy explicitly and accept the risks that this might break some of
126
-
the Icinga Web modules. Icinga Web and all it's components listed below, on the other hand, fully support strict CSP. If
126
+
the Icinga Web modules. Icinga Web and all its components listed below, on the other hand, fully support strict CSP. If
127
127
that's not the case, please submit an issue on GitHub in the respective repositories.
128
128
129
-
To enable the strict content security policy navigate to **Configuration > Application** and toggle "Enable strict content security policy",
130
-
or set the`use_strict_csp` in the `config.ini`.
129
+
To enable the strict content security policy, navigate to **Configuration > Application > Security** and toggle
130
+
"Send CSP header", or set `use_strict_csp` in the `config.ini`.
131
131
132
-
```
133
-
vim /etc/icingaweb2/config.ini
132
+
Icinga does its best to support user-defined content like navigation items and dashboard dashlets. If that behavior is
133
+
not desired, you can disable both by disabling the corresponding feature in the **Security page** at
134
+
**Configuration > Application > Security** or by setting `csp_enable_navigation` or `csp_enable_dashboards` in the
135
+
`config.ini`. Note that while you can see all navigation items and dashboards, the actual CSP is generated per user
136
+
and does not include the full set of directives shown.
134
137
135
-
[security]
136
-
use_strict_csp = "1"
137
-
```
138
+
If it is necessary to add extra entries to the CSP header, you can do so by using the `CspHook` hook,
139
+
read more about it [here](60-Hooks.md#hooks-csp). This is the preferred way to extend the CSP header
140
+
because it is an additive and modular approach.
141
+
142
+
Alternatively you can define your own CSP header by setting the `custom_csp` in the `config.ini` or by configuring the
143
+
`Custom CSP` section at **Configuration > Application > Security** which will completely overwrite the generated
144
+
CSP header.
145
+
Therefore, you are responsible for ensuring that the CSP header is valid, does not contain insecure directives,
146
+
is kept up to date with updates or changes to the icingaweb application or its components, and works for every user.
147
+
When creating your own CSP header, you can use the placeholder `{style_nonce}` in place of the
148
+
automatically generated nonce. This will be replaced with the actual nonce when a user loads icingaweb.
138
149
139
150
Here is a list of all Icinga Web components that are capable of strict CSP.
140
151
@@ -155,6 +166,17 @@ Here is a list of all Icinga Web components that are capable of strict CSP.
155
166
| Icinga Web AWS Integration |[v1.1.0](https://github.com/Icinga/icingaweb2-module-aws/releases/tag/v1.1.0)|
156
167
| Icinga Web vSphere Integration |[v1.8.0](https://github.com/Icinga/icingaweb2-module-vspheredb/releases/tag/v1.8.0)|
0 commit comments