Symfony/Improve security

From Aimeos documentation

Other languages:
English 100%

Protect against cross site scripting (XSS)

Modern browsers can be told to prevent execution of injected Javascript by an attacker. The technique is called "Content Security Policy" and can be activated by sending appropriate HTTP headers. You can set the required header within your Symfony application using the request object:

  1. $response->headers->set( "Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'";
  2. $response->headers->set( "X-Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'";
  3. $response->headers->set( "X-Webkit-CSP", "default-src 'self'; style-src 'self' 'unsafe-inline'";

It tells the browser to allow only content (Javascript, CSS, images, etc.) from your own server and also inline CSS declarations (necessary for displaying the product pictures as scalable background).

In Synfony, additional header parameters can be added using event listeners. There's a good article about how to implement and configure an event listener setting response headers.

If you are using a different domain for serving static content, you have to add this domain to the "default-src" and "style-src" statement (without apostrophes in this case).