Slim/Improve security

From Aimeos documentation

Other languages:
English 100%

Protect against cross site scripting (XSS)

Modern browsers can be told to prevent execution of injected Javascript by an attacker. The technique is called "Content Security Policy" and can be activated by sending appropriate HTTP headers. You can add the required header via the response object in your Slim application:

  1. $response->withHeader( "Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'" )
  2. 	->withHeader( "X-Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'" )
  3. 	->withHeader( "X-Webkit-CSP", "default-src 'self'; style-src 'self' 'unsafe-inline'" );

It tells the browser to allow only content (Javascript, CSS, images, etc.) from your own server and also inline CSS declarations (necessary for displaying the product pictures as scalable background).

If you are using a different domain for serving static content, you have to add this domain to the "default-src" and "style-src" statement (without apostrophes in this case).