Introducing Jhoose Security – A module to manage your Content Security Policy

It has always been difficult to manage the CSP on a website, this new module for Optimizley aims to make the process easier giving control back to advanced editors.

Features

Interface to manage policies.
Global ‘report only’ mode, or specify for each policy.
Add ‘nonce’ to inline script or style tags.
Ability to specify paths that are excluded from outputting the policy header.

Administration

Once the module is installed you will see a new ‘Security’ menu item within the top menu.

Settings

This screen gives you access to the global settings of the module, allowing the module to be enabled/disabled or switched into ‘Report Only’ mode.

It is also possible to specify an endpoint for a reporting service.

View Policies

All security policies are listed, with a summary of the policy configuration. A user is then able to click on a policy to view the policy in greater detail or amend it as required.

Edit Policy

This screen allows for an individual policy to be managed by the user, these will be saved when the ‘OK’ button is pressed.

When changes are made it is recommended that they are tested in ‘Report Only’ mode to ensure that nothing is adversely impacted by the new configuration.

Installation

Install the package directly from the Optimizley Nuget repository. This will install the admin interface along with the middleware to add the CSP header to the response.

Github: https://github.com/andrewmarkham/contentsecuritypolicy

dotnet add package Jhoose.Security.Admin

Configuration

Startup.cs

services.AddJhooseSecurity(IConfiguration configuration, Action<SecurityOptions> options = null);

The Action<SecurityOptions> options is optional and if not specified then the default will be used.

  "JhooseSecurity": {
    "ExclusionPaths": [
      "/episerver"
    ]
  }

ExclusionPaths: Any request which starts with a path specified in this property will not include the CSP header.

app.UseJhooseSecurity();

Nonce Tag Helper

It is possible to get a nonce added to your inline <script> and <style> tags.

_ViewImports.cshtml

@addTagHelper *, Jhoose.Security.Core

<script nonce src="/assets/js/jquery.min.js"></script>

2 thoughts on “Introducing Jhoose Security – A module to manage your Content Security Policy”

johnnymullaney on November 3, 2021 at 5:08 pm said:

This is excellent Andy. Well done!

Loading...

Reply ↓
- Andrew Markham on November 3, 2021 at 7:01 pm said:
  
  Thanks Johnny 🙂
  
  Loading...
  
  Reply ↓

jhoose

Andrew Markham – My Personal Blog

Introducing Jhoose Security – A module to manage your Content Security Policy

Features

Administration

Settings

View Policies

Edit Policy

Installation

Configuration

Nonce Tag Helper

Like this:

2 thoughts on “Introducing Jhoose Security – A module to manage your Content Security Policy”

Leave a Reply to Andrew MarkhamCancel reply

Features

Administration

Settings

View Policies

Edit Policy

Installation

Configuration

Nonce Tag Helper

Share this:

Like this:

2 thoughts on “Introducing Jhoose Security – A module to manage your Content Security Policy”

Leave a Reply to Andrew MarkhamCancel reply

Discover more from jhoose