-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Addressing CSP Configuration in BookStack: Resolving Security Scan Findings #5197
Comments
Hi @mschoon85, From what I understand from this site, it should be fine to add extra CSP headers and the browser will choose the most restrictive. The tricky part will be the script header, since we use a nonce for these. It may be possible to alter the existing headers using nginx map's ability but this is not something I've ever played with. |
@ssddanbrown It seems that there is an issue. When I introduce an additional or replacement Content Security Policy (CSP) into /config/nginx/ssl.conf, the scan results indicate that both CSPs are being applied simultaneously. single - bookstack CSP only scan results: extra CSP in /config/nginx/ssl.conf scan results: Would you consider implementing these changes into BookStack to enhance the application's security further? 'http:' scheme should not be used: 'https:' scheme without a specific main domain should not be used: 'default-src' with sufficiently secure value should be defined: 'form-action' with sufficiently secure value should be defined: Here is the security scan we utilize: https://en.internet.nl/site/knowledgebase.sittard-geleen.nl/2946123/ |
Sounds like a potential limitation in the scan logic, in not being able to understand interactions with multiple CSP headers?
Maybe, but only where it would make sense or there's an actual need. Again, Happy to consider tweaking rules, but I just want to make sure there's considered value in doing so, relative to the extra support effort & breaking impact, rather than doing so with the aim to pass a specific scan for business reasons. |
Would you consider adding a configuration option that allows users to fully customize the CSP from within the BookStack configuration? This could be particularly useful for organizations like mine that need to comply with strict security standards and scans. I understand the need to limit additional maintenance and support complexity, but I believe a more flexible CSP configuration could be valuable for organizations facing increasingly stringent security requirements. |
I'm not too keen on adding a higher level option since we have existing CSP options that would then potentially (be expected) interplay and add complexity, and I don't want to go down the road of adding options just for the sake of editing headers, which could be done at webserver level. Could maybe add a logical theme hook instead, but again more to maintain for something which could be done at webserver level. Did you attempt the nginx map option at all? |
Yes, I have tried using the nginx map directive. I added the following to /config/nginx/nginx.conf:
and to /config/nginx/site-confs/default.conf:
Unfortunately, the default (CSP) for BookStack is still in use. |
Yeah, spent a moment on this and looks like nginx makes this a pain since there's no real way of replacing a header without the headers_more module. For reference, here's a reduced/simplified example of nonce-respecting map $sent_http_content_security_policy $altered_csp {
default "$sent_http_content_security_policy";
"~nonce-(?<bsnonce>.+?)'" "script-src 'self' 'nonce-$bsnonce' 'strict-dynamic';";
} |
@ssddanbrown, was the example you provided effective? |
@mschoon85 It's an example of how you can create a new CSP value using the |
Attempted Debugging
Searched GitHub Issues
Describe the Scenario
Hi @ssddanbrown,
Our new BookStack instance is now publicly accessible. Being a government entity, we are obligated to adhere to specific security standards. We employ a particular security scan to identify risks, and the following risk is the only one I was unable to resolve, although I managed to resolve quite a few others. From what I can see, Bookstack is providing the CSP settings. I've tried to reduce the risk by including the following in the /config/nginx/ssl.conf file inside the BookStack container:
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; frame-src 'self' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://embed.diagrams.net; script-src 'self' https://ourbookstackURL.nl 'nonce-ournoncenumber' 'strict-dynamic'; object-src 'self'; base-uri 'self'; form-action 'self';";
However, this leads to duplicate CSP settings as indicated by the security scan, implying that the original CSP is derived from Bookstack itself. What actions can we take to mitigate this risk or modify the default CSP settings in BookStack? The scan results below do not include duplicates, as they were obtained without modifying ssl.conf.
Content-Security-Policy: Detailed Report
Verdict:
Your web server does not offer Content-Security-Policy (CSP), or does offer CSP with certain insecure settings.
Technical details:
["frame-ancestors 'self'; frame-src 'self' https://*.draw.io https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://embed.diagrams.net; script-src http: https: 'nonce-rKI8RE08Qm8HwcEvVVr8Qd1Z' 'strict-dynamic'; object-src 'self'; base-uri 'self'"]
Recommendations:
'http:' scheme should not be used:
Explanation:
Using the
http:
scheme allows content to be loaded over an insecure connection. This can expose your website to man-in-the-middle attacks, where an attacker intercepts and potentially alters the communication between the browser and the server. Always usehttps:
to ensure that content is delivered securely.'https:' scheme without a specific main domain should not be used:
Explanation:
Using a general
https:
scheme without specifying the exact main domain (e.g.,https://*.example.com
) is insecure because it can allow any subdomain underexample.com
to be trusted. Instead, specify the exact domains or subdomains that are trusted, such ashttps://scripts.example.com
.'default-src' with sufficiently secure value should be defined:
Explanation:
The
default-src
directive sets the default source policy for fetching content such as scripts, stylesheets, and images. If it's not defined or too permissive, attackers may load malicious content. A securedefault-src
should be either'none'
,'self'
, or specify trusted domains explicitly.'form-action' with sufficiently secure value should be defined:
Explanation:
The
form-action
directive restricts the URLs that can handle form submissions. Without securely defining this, attackers may redirect form submissions to malicious servers. Ensure that theform-action
directive only allows trusted URLs, like'self'
, to handle form data.Exact BookStack Version
24.05.3
Log Content
No response
Hosting Environment
Ubuntu 24.04 + Docker
The text was updated successfully, but these errors were encountered: