Jump to content
danielfpaiva

HTTP headers security htaccess

Recommended Posts

danielfpaiva

Boa noite,

Neste momento encontro-me a tentar definir no ficheiro .htaccess a questão relacionada com http headers security mas estou a ter um problema relacionado com a Content-Security-Policy.

No meu ficheiro tenho o seguinte conjunto de regras

	Header set Cache-Control "no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires 0
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options nosniff
    Header always set Referrer-Policy "same-origin"
    Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://coilcrypto.com"
    Header add Content-Security-Policy "default-src 'self'"
    Header add Content-Security-Policy "script-src 'self' https://cdn.jsdelivr.net/ cdn.amcharts.com"
    Header add Content-Security-Policy "style-src 'self' fonts.googleapis.com use.fontawesome.com"
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

Quando carrego o site com estas linhas todas os ficheiros css e js externos não são carregados.
No entanto quando retiro as linhas relacionada com Content-Security-Policy os ficheiros passam a ser carregados.

Será que me conseguem ajudar?

Share this post


Link to post
Share on other sites
Rui Carlos

Estás a definir múltiplos headers Content-Security-Policy.  Experimenta colocar todas as instruções num só header.

Header add Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net/ cdn.amcharts.com; style-src 'self' fonts.googleapis.com use.fontawesome.com"

 

Share this post


Link to post
Share on other sites
danielfpaiva

Ao colocar uma única linha

 

<IfModule mod_headers.c>
    Header set Cache-Control "no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires 0
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options nosniff
    Header always set Referrer-Policy "same-origin"
    Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://coilcrypto.com"
    Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
    Header add Content-Security-Policy "default-src 'self'; script-src 'self' cdn.jsdelivr.net cdn.amcharts.com; style-src 'self' fonts.gstatic.com http://fonts.googleapis.com/ use.fontawesome.com"
</IfModule>

continuo a ter o problema de alguns ficheiros não serem carregados.
Fica aqui uns exemplos:
 

Request URL: https://fonts.gstatic.com/s/montserrat/v14/JTURjIg1_i6t8kCHKm45_cJD3gTD_u50.woff2
Referrer Policy: strict-origin-when-cross-origin
Provisional headers are shown
Origin: http://localhost
Referer: https://fonts.googleapis.com/

Também que reparei que agora comecei a ter um warning sobre SameSite cookies e nem faço ideia do que isto é.

 

Citação

A cookie associated with a cross-site resource at http://amcharts.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`.

Será que alguém sabe o que isto pode ser?

Share this post


Link to post
Share on other sites
M6

O "SameSsite" previne os browsers de enviarem os cookies em pedidos entre sites. O objetivo é mitigar o risco de falhas/fugas de informação através dos cookies em pedidos entre sites. Se quiseres saber mais sobre isto dá um pulo a https://web.dev/samesite-cookies-explained/

Quanto ao Content-Security-Policy, dá uma olhadela aqui https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/Content-Security-Policy, em particular na secção de múltiplas políticas de segurança e nos exemplos.


10 REM Generation 48K!
20 INPUT "URL:", A$
30 IF A$(1 TO 4) = "HTTP" THEN PRINT "400 Bad Request": GOTO 50
40 PRINT "404 Not Found"
50 PRINT "./M6 @ Portugal a Programar."

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.