I have zoneminder running on Debian 10 and was going over the usual website benchmarks like ssllabs and mozilla. According to mozilla the current trend is to migrate from the X-Frames based options to using Content Security Policy options in the ssl configuration.
I started playing around with it but I end up mostly breaking zoneminder when setting up any restrictions.
Even restricting content sources to my *.mysubdomain.com creates an annoying issue where I can access a camera config, but only the first page of it, clicking on any of the tabs ceases to work. I find this sort of funny since I sure hope all of the zoneminder page is being served by my domain and wouldn't think this much of a site breaker but it is. Though I am not exactly familiar setting these policies.
Does anyone here have a good CSP config for zoneminder they're willing to share?
I am running a vanilla debian lamp install, so openssl 1.1.1.d and apache2 2.4.38-3
Thanks
Lookin for advice setting Content Security Policy for Zoneminder
-
Farm_Server
- Posts: 11
- Joined: Wed Sep 02, 2020 1:37 pm
Re: Lookin for advice setting Content Security Policy for Zoneminder
ZoneMinder sets the CSP headers for you...
-
Farm_Server
- Posts: 11
- Joined: Wed Sep 02, 2020 1:37 pm
Re: Lookin for advice setting Content Security Policy for Zoneminder
Ok, so the mozilla test I am talking about is found at https://observatory.mozilla.org/ and it will give me a 70/100 score with my ssl config. It dings the score because(according to this mozilla test) no content security policy is implemented, and because of that it can be vulnerable to cross scripting attacks.
I understand this is just a benchmark and could be crying about something that doesn't matter. And that is possible the csp for zoneminder is being implemented in a separate layer of the program than my apache2 ssl config and that's why this test doesn't 'see' that.
I just had not heard about it before(which isn't saying much) and did not want to leave something exposed that a few keystrokes could improve.
That said, I managed to get policy settings that do work by specifying
Header set Content-Security-Policy "default-src 'self';"
Header set Content-Security-Policy "*mydomain.com;"
this got the score to 105/100 A+ but I will happily remove these settings if they are overriding anything or a bad idea for some reason
I understand this is just a benchmark and could be crying about something that doesn't matter. And that is possible the csp for zoneminder is being implemented in a separate layer of the program than my apache2 ssl config and that's why this test doesn't 'see' that.
I just had not heard about it before(which isn't saying much) and did not want to leave something exposed that a few keystrokes could improve.
That said, I managed to get policy settings that do work by specifying
Header set Content-Security-Policy "default-src 'self';"
Header set Content-Security-Policy "*mydomain.com;"
this got the score to 105/100 A+ but I will happily remove these settings if they are overriding anything or a bad idea for some reason