Support secure Content Security Policy
Security becomes more and more important for all companies with an online presence. They require their software to work with tight security restrictions.
An important security restriction to block Cross-Site Scripting (XSS) is the implementation of a Content Security Policy (CSP) header. This header can block inline JavaScript and JavaScript eval as an effective and visible defense against XSS.
Recent versions of Archibus already implement major improvements to protect against XSS internally. However, major clients like banks and telecommunications companies want to visibly protect their systems and users accross their entire online presence, without relying on the internals of each individual application. External validators such as BitSight (https://www.bitsight.com/) check for the presence of a secure CSP header.
The following insecure CSP can be defined without affecting basic Archibus Web Central functionality (when not using external integrations like ESRI).
frame-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; form-action 'self';
To protect against XSS, the unsafe directives 'unsafe-inline' and 'unsafe-eval' for scripts need to be removed. The 'unsafe-inline' for CSS is less of a problem.
Attached to this proposal is documentation about achieving a security CSP header provided by one of our clients. See also https://content-security-policy.com/unsafe-inline/ and https://csp-evaluator.withgoogle.com/
Yorik Gerlo
shared this idea
-
Yorik Gerlo
commented
We have 2 major clients in telecommunications and banking pushing hard to enfore security via the CSP header.
I expect more major companies with a presence in European Union will require this, since the adoption of the NIS2 directive for cybersecurity in October 2024.