website/docs: add CSP to hardening#11970
Conversation
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## main #11970 +/- ##
==========================================
- Coverage 92.67% 92.67% -0.01%
==========================================
Files 761 761
Lines 37935 37935
==========================================
- Hits 35158 35156 -2
- Misses 2777 2779 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-8b49c90353c4441215641a0befbcc39ce9515e69
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sFor arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-8b49c90353c4441215641a0befbcc39ce9515e69-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-8b49c90353c4441215641a0befbcc39ce9515e69For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-8b49c90353c4441215641a0befbcc39ce9515e69-arm64Afterwards, run the upgrade commands from the latest release notes. |
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
| ### Content Security Policy (CSP) | ||
|
|
||
| :::caution | ||
| Setting up CSP incorrectly may result in the client not loading necessary third-party code. |
There was a problem hiding this comment.
| Setting up CSP incorrectly may result in the client not loading necessary third-party code. | |
| Setting up CSP incorrectly might result in the client not loading necessary third-party code. |
|
|
||
| Content Security Policy (CSP) is a security standard that mitigates the risk of content injection vulnerabilities. authentik doesn't currently support CSP natively, so setting it up depends on your installation. We recommend using a [reverse proxy](../install-config/reverse-proxy.md) to set a CSP header. | ||
|
|
||
| authentik will require at least the following origins: |
There was a problem hiding this comment.
| authentik will require at least the following origins: | |
| authentik requires at least the following origins: |
There was a problem hiding this comment.
Should we explain more about what an origin is? Where to define it? Do we have any links about it to link to?
There was a problem hiding this comment.
Offline resolution: we should use the word used by the CSP spec: "location"
tanberry
left a comment
There was a problem hiding this comment.
I thought I had edited that use of "may" before, but maybe I missed this one. (We want to use "might", to imply chances, instead of "may" which implies permission. :-)
|
/cherry-pick version-2024.10 |
| ::: | ||
|
|
||
| Content Security Policy (CSP) is a security standard that mitigates the risk of content injection vulnerabilities. authentik doesn't currently support CSP natively, so setting it up depends on your installation. We recommend using a [reverse proxy](../install-config/reverse-proxy.md) to set a CSP header. | ||
|
|
There was a problem hiding this comment.
We probably should cross-reference #12092 so that that behaviour is also documented. People deploying a custom csp might overlook this and override those headers.
There was a problem hiding this comment.
Added a general warning not to overwrite any existing CSP header.
|
|
||
| ``` | ||
| default-src 'self'; | ||
| style-src 'self' 'unsafe-inline'; |
There was a problem hiding this comment.
We might want to add comments that explain why we need unsafe-inline for styles and scripts based on the comments I had in the notes in notion
There was a problem hiding this comment.
Fair enough, added.
(A bit weird syntactically because this is a language-agnostic text block, but anyone who's implementing it will understand.)
* add CSP to hardening * re-word docs Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> * fix typo * use the correct term "location" instead of "origin" in CSP docs * reword docs * add comments to permissive CSP directives * add warning about overwriting existing CSP headers --------- Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
website/docs: add CSP to hardening (#11970) * add CSP to hardening * re-word docs * fix typo * use the correct term "location" instead of "origin" in CSP docs * reword docs * add comments to permissive CSP directives * add warning about overwriting existing CSP headers --------- Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
* main: (23 commits) website/docs: update info about footer links to match new UI (#12120) website/docs: prepare release notes (#12142) providers/oauth2: fix migration (#12138) providers/oauth2: fix migration dependencies (#12123) web: bump API Client version (#12129) providers/oauth2: fix redirect uri input (#12122) providers/proxy: fix redirect_uri (#12121) website/docs: prepare release notes (#12119) web: bump API Client version (#12118) security: fix CVE 2024 52289 (#12113) security: fix CVE 2024 52307 (#12115) security: fix CVE 2024 52287 (#12114) website/docs: add CSP to hardening (#11970) core: bump uvicorn from 0.32.0 to 0.32.1 (#12103) core: bump google-api-python-client from 2.153.0 to 2.154.0 (#12104) core: bump pydantic from 2.9.2 to 2.10.0 (#12105) translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#12110) internal: add CSP header to files in `/media` (#12092) core, web: update translations (#12101) web: fix bug that prevented error reporting in current wizard. (#12033) ...
* main: (23 commits) website/docs: update info about footer links to match new UI (#12120) website/docs: prepare release notes (#12142) providers/oauth2: fix migration (#12138) providers/oauth2: fix migration dependencies (#12123) web: bump API Client version (#12129) providers/oauth2: fix redirect uri input (#12122) providers/proxy: fix redirect_uri (#12121) website/docs: prepare release notes (#12119) web: bump API Client version (#12118) security: fix CVE 2024 52289 (#12113) security: fix CVE 2024 52307 (#12115) security: fix CVE 2024 52287 (#12114) website/docs: add CSP to hardening (#11970) core: bump uvicorn from 0.32.0 to 0.32.1 (#12103) core: bump google-api-python-client from 2.153.0 to 2.154.0 (#12104) core: bump pydantic from 2.9.2 to 2.10.0 (#12105) translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#12110) internal: add CSP header to files in `/media` (#12092) core, web: update translations (#12101) web: fix bug that prevented error reporting in current wizard. (#12033) ...
No description provided.