# --------------------------------------------------------------- # Core ModSecurity Rule Set ver.2.2.8 # Copyright (C) 2006-2012 Trustwave All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 # Please see the enclosed LICENCE file for full details. # --------------------------------------------------------------- # # -=[ Content Security Policy (CSP) Settings ]=- # # The purpose of these settings is to send CSP response headers to # Mozilla FireFox users so that you can enforce how dynamic content # is used. CSP usage helps to prevent XSS attacks against your users. # # Reference Link: # # https://developer.mozilla.org/en/Security/CSP # # # If this is a CSP Violation Report Request, we need to enable request # body population of the REQUEST_BODY variable. This is not done by # default since the request body content-type is JSON. # SecRule REQUEST_FILENAME "@streq %{tx.csp_report_uri}" "phase:1,id:'981142',t:none,nolog,pass,ctl:forceRequestBodyVariable=On" # # Check the REQUEST_BODY for CSP Violation Report data and generate an Alert # SecRule REQUEST_BODY "({\"csp-report\":.*blocked-uri\":\"(.*?)\".*violated-directive\":\"(.*)\")" "phase:2,id:'960001',capture,t:none,log,pass,msg:'Content Security Policy (CSP) Violation',logdata:'blocked-uri:%{tx.2} violated-directive:%{tx.3}',tag:'OWASP_AppSensor/RP3',tag:'https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP3'" # # Check the User-Agent string for FireFox users and then set an ENV var # to tell Apache which CSP header policy to use. # SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960002',t:none,nolog,pass,chain" SecRule TX:CSP_REPORT_ONLY "@eq 1" "setenv:firefox_client-csp_report_only=1" SecRule REQUEST_HEADERS:User-Agent "(?i:mozilla.*firefox)" "phase:3,id:'960003',t:none,nolog,pass,chain" SecRule TX:CSP_REPORT_ONLY "@eq 0" "setenv:firefox_client-csp_enforce=1" # # Set the appropriate CSP Policy Header for FireFox clients # Header set X-Content-Security-Policy-Report-Only "%{csp_policy}e" env=firefox_client-csp_report_only Header set X-Content-Security-Policy "%{csp_policy}e" env=firefox_client-csp_enforce