本文探讨了在网站迁移和技术演进背景下，更新Content-Security-Policy（CSP）的重要性。CSP用于指导浏览器处理安全相关的行为，尤其在涉及用户交互和敏感信息时至关重要。作者回顾了四年前的CSP配置方法，并介绍了利用Cloudflare Workers这一新的解决方案。Cloudflare Workers作为一种无服务器的JavaScript服务，能够直接在Cloudflare CDN/WAF层面修改网站流量，从而在不更改后端服务器配置的情况下，实现CSP的更新和优化，为网站提供更强的安全保障。

📄 **CSP的重要性与演变**：Content-Security-Policy (CSP) 是指导浏览器如何处理安全相关行为的关键机制，尤其在处理用户交互和敏感信息（如银行、健康记录门户）的网站上必不可少。随着技术和托管平台的迁移，CSP的最佳实践也在不断发展，需要定期审查和更新以适应新的安全需求。

🌐 **利用Cloudflare Workers进行CSP优化**：对于使用Cloudflare作为CDN和WAF的网站，Cloudflare Workers提供了一种创新的CSP配置方式。这是一种无服务器的JavaScript服务，允许直接在Cloudflare网络层面操作和修改网站流量，从而无需修改后端服务器的配置即可实现CSP的更新和部署。

🔍 **初步测试与评估CSP配置**：在更新CSP之前，建议使用第三方工具（如SecurityHeaders.io）对现有网站的CSP配置进行扫描和评估。这有助于清晰了解当前CSP的状况，识别潜在的安全漏洞或配置不当之处，为后续的优化提供依据。评估结果需要结合网站的实际情况（如是否存在用户交互、是否处理敏感信息）来判断其安全性影响。

Kent Ickler //







Background



Over four years ago now, I wrote a blog post on fixing missing Content-Security-Policy by updating configuration on webservers: https://www.blackhillsinfosec.com/fix-missing-content-security-policy-website/. Content-Security-Policies instruct a user’s web browser how it should behave on certain security considerations.



Oh, how times have changed. Here at Black Hills Information Security (BHIS), we’ve actually migrated webservers, hosting companies, security platforms — that list goes on and on. The “best practices” for Content-Security-Policies have changed in the last four years too. On our new hosting platform, we need to set up appropriate content security headers again. Since we now use Cloudflare for our CDN and WAF provider, we have some new opportunities for fronting our Content-Security-Policies outside of the web server itself.



Initial Testing



Before you go about updating your Content-Security-Policies, it’s good to have a clear picture of how your server currently handles/sends Content-Security-Policies. A good way to test this configuration is to use a third-party tool. We can use SecurityHeaders.io to scan our website’s Content-Security-Policy configuration.



Link: https://www.securityheaders.io



In the case below, we’ve had SecurityHeaders.io scan the WildWestHackinFest.com website.







That looks bad, right? Well, maybe. It is important to note that Content-Security-Policies are used to instruct the browser how to handle security concerns within the browser. This is critical on websites where there is user interaction and sensitive information being disclosed. For example, it would be imperative that a banking website, health records portal, or other user-interaction service have appropriate Content-Security-Policy headers. In the scenario where there is no user interaction or no sensitive information disclosed, it becomes less imperative that Content-Security-Policies be configured in a very secured state.



Here’s a good example of a “not-great” configuration scenario: The US Social Security Administration has a portal where users can login and access sensitive information about their account. The portal login landing page is https://secure.ssa.gov:







Alright, so that’s a picture of what not to do.



If you’re looking to correct some of these issues, you have a couple methods afforded to you. The first is to read the blog from four years ago that demonstrates how to fix the issue by configuring your web server with the appropriate Content-Security-Headers. But there is another way.



Cloudflare Workers



Link: https://workers.cloudflare.com/



Cloudflare Workers are a serverless section of server-side-JavaScript that can perform actions or modify web traffic associated with a Cloudflare CDN/WAF protected site. In the case of our earlier example, https://wildwesthackinfest.com is a website that is served by the Cloudflare network. This allows us to use the Cloudflare Workers service to manipulate web traffic without having to update the backend (“origin...