Content security policy / CSP

[Totoro]

Someone told me this about my site:

"

Website is vulnerable to clickjacking




Impact:
The site can also be opened in an iframe after the user has logged it making it hard for the user to avoid phishing.A user can be tricked into entering his credentials in what may be the placeholder for the original website details. And thus his credentials would be sent to the attacker. Furthermore the Payment page is also vulnerable to UI redressing Allowing for an attacker to gain access to the users payment credentials.

Remediation :
Add an iframe destroyer in the header of the page . Also if you would like for your website to open is specified Iframe origin headers then you can define the Origin headers for those websites or origins."

 

I told the host about it and they suggested the following and did it after I approved.

 

This would be a good read:
https://blog.sucuri.net/2021/10/how-to-set-up-a-content-security-policy-csp-in-3-steps.html

This for example can be added to WHMCS's htaccess:
Header set Content-Security-Policy-Report-Only "default-src 'self'; img-src *"

 

the below code in its .htaccess file
---
Header set Content-Security-Policy-Report-Only "default-src 'self'; img-src *"

 

It is added in /home/xxx/public_html/.htaccess

 

My question to you please is, is there anything else to do or check? It should not prevent any other normal operation of the site right?

[sol2010]

I think it would be good if WHMCS staff could comment on this, it is an important aspect of site security.

Here is another good resource:

https://htaccessbook.com/important-security-headers/

https://owasp.org/www-community/attacks/Clickjacking

Basically, if you put the following in your .htaccess file, it will be a start - so, for example at yoursite.com/whmcs/ .htaccess

However, be warned the CSP can break a lot of stuff on your site, so you'll need to thoroughly test it.

At the very least you should have:

Content-Security-Policy: frame-ancestors 'self';   (more info)

Header set Content-Security-Policy "frame-ancestors 'self'; upgrade-insecure-requests; default-src 'self'; script-src 'self' data: cdnjs.cloudflare.com Analytics Tools & Solutions for Your Business - Google Analytics reCAPTCHA https://googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; object-src 'self'; frame-src data: google.com; img-src 'self' data: gstatic.com; font-src 'self' fonts.gstatic.com; connect-src 'self' base-uri 'self'; form-action 'self'; worker-src 'none';"

You will have to add all the URLs for various scripts and services you use.

This is a good site (by Google) to check your current policies

https://csp-evaluator.withgoogle.com/

 

 

 

Edited October 4, 2022 by sol2010