Restricted default content security headers

Thank you, I really need to make it right.

1 Like

I haven’t got a reply for many days. I am various concerned about this issue because its happening in production

When you say anything, what does that mean? No CSP header, or no output at all?

2 Likes

No output at all

And you put your origin’s IP address in for ORIGIN-IP?

yes, I am getting no output

does any of these headers add default header? default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests

What do you mean by “default header”. Cloudflare don’t have any defaults for customer custom headers. Every situation where you need headers like CSP you need to do some work as explained above.

Is your SSL mode Flexible? If so, change the https:// in the curl to Origin-IP to http://. (And then fix your webserver to use Full Strict)

It’s tricky for you to diagnose an issue if you cannot test your Origin. Can you investigate why you get no response from your origin? It might be that you need a firewall rule to allow your own test requests.

The CSP policy you showed earlier is very specific, and unlikely to be the result of any default action. It also looks as if you have multiple different CSP policies. The first thing you need to confirm is where those are added. To rule CF in or out you need the request from the Origin IP address.

2 Likes

I get this output from curl command HTTP/2 200 date: Sat, 06 Nov 2021 21:01:41 GMT content-type: text/html; charset=utf-8 content-security-policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests content-security-policy: base-uri 'self'; connect-src 'self' [trusted-cdn.com](http://trusted-cdn.com); default-src 'self'; font-src 'self'; frame-src 'self' [trusted-cdn.com](http://trusted-cdn.com); img-src 'self' * [trusted-cdn.com](http://trusted-cdn.com); manifest-src 'self'; media-src 'self'; object-src 'none'; report-uri; script-src 'report-sample' 'self' [https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js](https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js) [https://www.privacypolicies.com/public/cookie-consent/4.0.0/cookie-consent.js](https://www.privacypolicies.com/public/cookie-consent/4.0.0/cookie-consent.js) [trusted-cdn.com](http://trusted-cdn.com); style-src 'report-sample' 'self'; worker-src 'none'; x-dns-prefetch-control: off expect-ct: max-age=0 x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 cf-cache-status: DYNAMIC report-to: {"endpoints":[{"url":"https:\/\/[a.nel.cloudflare.com](http://a.nel.cloudflare.com)\/report\/v3?s=YXrvbCqakxj0o4DGF5ULdXYTDVro%2BQklE%2B0eUL2JVbwFkRk0%2B3ZS6LWx3dTxw40YZUvmLnoXOHRa9CGHI%2FS%2Fc7A4L9SuYutiVrXivNoBHKz3Ef%2BIY4Es2xOitM3V8W4AVn7oyi1LVQU%3D"}],"group":"cf-nel","max_age":604800} nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} server: cloudflare cf-ray: 6aa1421c3dee16e3-DME alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

I always have had trouble with CSP and third-party sites displaying ads on my Website - just to add a note here.

Nevertheless, I remember I came a cross a similar topic a while ago where I think it was ExpressJS or NodeJS to troubleshoot including below …

Search for helmet.contentSecurityPolicy(), should be like:

 app.use(
  helmet.contentSecurityPolicy({
    useDefaults: true,

Helpful article:

This is where they come from and are set by default (see above), or otherwise I could be wrong about it?

EDIT: Found it here (if it could help at least a bit in your case):

I remove all third party dependencies that could interact with CSP, but result is the same

And you re-run the app with new applied modifications and purged the Cloudflare Cache?

Okay, but what with the default ExpressJS or NodeJS ones (response.writeHead ...) to edit headers sent there from?
Have you re-checked for their existance, or better to say, disable them if so?

How about below one, is it enabled for your domain?:

Disabling Under Attack Mode

I just cache it. Under Attack Mode is off and there is no code that could cause CSP in my application

Could it be that these headers interact with csp somehow? location / { proxy_pass http://localhost:3338; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; }}

That is a curl directly to the IP of your origin? If so, the headers are clearly coming from your origin. And if that is the case, all Cloudflare is doing is passing the headers through.

1 Like

I literally don’t get it. Then its probably helmet cause this CSP ,but I completely shut it down

1 Like

I find out that I had to restart and cache my pm2. I am sorry for the inconvenience

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.