Best settings for HTTP security headers

PowerShell Universal
1 
Product: PowerShell Universal
Version: 5.5.3

Following Hosting | PowerShell Universal I have setup the following Response Headers:

{
    "Kestrel" : {
        "Headers": {
            "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
            "Content-Security-Policy": "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;",
	        "X-Frame-Options": "DENY",
            "X-Content-Type-Options": "nosniff",
            "Referrer-Policy": "origin-when-cross-origin"
        }
    }
}

These settings work fine for my apps, but this will lock me out of my admin-portal. To allow access again I need to add script-src 'self' 'unsafe-inline' to the Content-Security-Policy, which circumvents most of the security added by applying this setting.

Is there a way to make this work without allowing unsafe inline scripts?

2

Replying to myself here since we have updated PSU and now we have to add another exception to keep PSU working. It seems unsafe-eval is required for React to be able to assign unique keys to elements. I noticed this the first time when opening the Apps page after upgrading, where it would not show my apps.

So for anyone having this issue, this is the current hardened policy we are working with.

{
    "Kestrel" : {
        "Headers": {
            "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
            "Content-Security-Policy": "default-src 'self'; style-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;",
	        "X-Frame-Options": "DENY",
            "X-Content-Type-Options": "nosniff",
            "Referrer-Policy": "origin-when-cross-origin"
        }
    }
}
1 Like