Implementing the CSP header on static pages in Rails

121 views Asked by At

As part of a third party audit my company's rails application was found not be serving the Content Security Policy (CSP) header for the default 404.html page (or any other of the default static pages from the rails public folder).

We would like to implement it, but we could not find resources on how to implement the CSP header in these static pages within rails.

The rails app runs with nginX WebServers.

The CSP header is already correctly added to all the non-static responses served by the app (this is configured in Rails).

So the questions:

  • is it a configuration to be done on Rails or nginx? if so, where exactly?
  • is it worth it to add the CSP header on these static pages?
1

There are 1 answers

0
The Fabio On BEST ANSWER

After some research, it seems the static pages can have meta tag added and that should be enough for the compliance with the CSP audit.

Someone else asked about the security of the CSP meta tag in comparison to the header and this response tells us it is a good alternative to the header.

Because these static pages do not contain complex resources or scripts, adding this to the static pages head block should be enough:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self';">