Skip to content

Add Content-Security-Policy (CSP) health check #16830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lauraneto merged 3 commits into from
Aug 12, 2024
Merged

Add Content-Security-Policy (CSP) health check #16830

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
375e123
Add CSP Header Check
erikjanwestendorp Jul 26, 2024
1984e93
Update src/Umbraco.Core/EmbeddedResources/Lang/en.xml
erikjanwestendorp Aug 9, 2024
cec9ded
Update src/Umbraco.Core/EmbeddedResources/Lang/en_us.xml
erikjanwestendorp Aug 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/Umbraco.Core/Constants-HealthChecks.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ public static class Security
[Obsolete("This link is not used anymore in the XSS protected check.")]
public const string XssProtectionCheck = "https://umbra.co/healthchecks-xss-protection";
public const string ExcessiveHeadersCheck = "https://umbra.co/healthchecks-excessive-headers";
public const string CspHeaderCheck = "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP";
Copy link
Copy Markdown
Contributor

@lauraneto lauraneto Aug 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice if you (or someone else) could also add a page to the umbraco docs (like the others, e.g. https://docs.umbraco.com/umbraco-cms/extending/health-check/guides/clickjackingprotection). 🙂

Copy link
Copy Markdown
Contributor Author

@erikjanwestendorp erikjanwestendorp Aug 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lauraneto Totally agree, I just created an issue and I will add a page to the docs.


public static class HttpsCheck
{
Expand Down
6 changes: 6 additions & 0 deletions src/Umbraco.Core/EmbeddedResources/Lang/en.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -467,6 +467,12 @@
You can read about this on the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection" target="_blank" rel="noopener" class="btn-link -underline">Mozilla</a> website ]]></key>
<key alias="xssProtectionCheckHeaderNotFound">
<![CDATA[The header <strong>X-XSS-Protection</strong> was not found.]]></key>
<key alias="contentSecurityPolicyCheckHeaderFound">
<![CDATA[The header <strong>Content-Security-Policy (CSP)</strong> was found. ]]>
</key>
<key alias="contentSecurityPolicyCheckHeaderNotFound">
<![CDATA[The header <strong>Content-Security-Policy</strong> (CSP) used to prevent cross-site scripting (XSS) attacks and other code injection vulnerabilities was not found.]]>
</key>
<key alias="excessiveHeadersFound"><![CDATA[The following headers revealing information about the website technology were found: <strong>%0%</strong>.]]></key>
<key alias="excessiveHeadersNotFound">No headers revealing information about the website technology were found.
</key>
Expand Down
6 changes: 6 additions & 0 deletions src/Umbraco.Core/EmbeddedResources/Lang/en_us.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,12 @@
You can read about this on the <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection" target="_blank" rel="noopener" class="btn-link -underline">Mozilla</a> website ]]></key>
<key alias="xssProtectionCheckHeaderNotFound">
<![CDATA[The header <strong>X-XSS-Protection</strong> was not found.]]></key>
<key alias="contentSecurityPolicyCheckHeaderFound">
<![CDATA[The header <strong>Content-Security-Policy (CSP)</strong> was found. ]]>
</key>
<key alias="contentSecurityPolicyCheckHeaderNotFound">
<![CDATA[The header <strong>Content-Security-Policy</strong> (CSP) used to prevent cross-site scripting (XSS) attacks and other code injection vulnerabilities was not found.]]>
</key>
<key alias="excessiveHeadersFound">
<![CDATA[The following headers revealing information about the website technology were found: <strong>%0%</strong>.]]></key>
<key alias="excessiveHeadersNotFound">No headers revealing information about the website technology were found.
Expand Down
31 changes: 31 additions & 0 deletions src/Umbraco.Core/HealthChecks/Checks/Security/CspCheck.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// Copyright (c) Umbraco.
// See LICENSE for more details.

using Umbraco.Cms.Core.Hosting;
using Umbraco.Cms.Core.Services;

namespace Umbraco.Cms.Core.HealthChecks.Checks.Security;

/// <summary>
/// Health check for the recommended production setup regarding the content-security-policy header.
/// </summary>
[HealthCheck(
"10BEBF47-C128-4C5E-9680-5059BEAFBBDF",
"Content Security Policy (CSP)",
Description = "Checks whether the site contains a Content-Security-Policy (CSP) header.",
Group = "Security")]
public class CspCheck : BaseHttpHeaderCheck
{
private const string LocalizationPrefix = "contentSecurityPolicy";

/// <summary>
/// Initializes a new instance of the <see cref="CspCheck" /> class.
/// </summary>
public CspCheck(IHostingEnvironment hostingEnvironment, ILocalizedTextService textService)
: base(hostingEnvironment, textService, "Content-Security-Policy", LocalizationPrefix, false, false)
{
}

/// <inheritdoc />
protected override string ReadMoreLink => Constants.HealthChecks.DocumentationLinks.Security.CspHeaderCheck;
}