Introduction
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Deprecated headers
X-XSS-Protection
This header is deprecated and is no longer considered a modern solution for mitigating XSS vulnerabilities. It has been replaced by the Content Security Policy header, which enforces stricter security measures by disallowing unsafe-inline
scripts.
X-Frame-Options
This header is deprecated and is no longer considered a modern approach for mitigating iframe-based vulnerabilities. It has been replaced by the frame-ancestors
directive in the Content Security Policy (CSP) header, which provides a more robust and secure solution.
Content Security Policy
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
Note: Content Security Policy (CSP) is available starting with Kepion version 6.1.24324.
How CSP enhances security
By enabling CSP, Kepion helps prevent malicious code from executing on its platform. With CSP in place, only JavaScript served directly from Kepion’s secure server is permitted to run. This restriction minimizes risks associated with third-party scripts or injected content, providing stronger security for both the application and its users.
Enable CSP
In Kepion, CSP is enabled by default. If it is not enabled as expected, follow these steps to enable it:
1. Open SSMS and execute the following statement.
USE [Kepion_System]
GO
IF EXISTS (
SELECT 1 FROM [dbo].[SystemSettings] WHERE [Key] = N'EnableContentSecurityPolicy'
)
BEGIN
UPDATE [dbo].[SystemSettings]
SET [Value] = N'True'
WHERE [Key] = N'EnableContentSecurityPolicy';
END
ELSE
BEGIN
INSERT INTO [dbo].[SystemSettings] ([Key],[Value])
VALUES (N'EnableContentSecurityPolicy', N'True');
END
2. Verify the changes in the SystemSettings table.
SELECT *
FROM [Kepion_System].[dbo].[SystemSettings]
WHERE [Key] = N'EnableContentSecurityPolicy';
3. Restart Kepion in IIS.
Note: To apply the changes, you must restart the Kepion in Internet Information Services (IIS). Learn how to restart IIS here.
Disable CSP
To disable CSP in your environment, follow these steps:
1. Open SSMS and execute the following statement.
USE [Kepion_System]
GO
IF EXISTS (
SELECT 1 FROM [dbo].[SystemSettings] WHERE [Key] = N'EnableContentSecurityPolicy'
)
BEGIN
UPDATE [dbo].[SystemSettings]
SET [Value] = N'False'
WHERE [Key] = N'EnableContentSecurityPolicy';
END
ELSE
BEGIN
INSERT INTO [dbo].[SystemSettings] ([Key],[Value])
VALUES (N'EnableContentSecurityPolicy', N'False');
END
2. Verify the changes in the SystemSettings table.
SELECT *
FROM [Kepion_System].[dbo].[SystemSettings]
WHERE [Key] = N'EnableContentSecurityPolicy';
3. Restart Kepion in IIS.
Note: To apply the changes, you must restart the Kepion in Internet Information Services (IIS). Learn how to restart IIS here.
Configure whitelist
The frameAncestors directive in the CSP controls which sources are permitted to embed your application within an iframe. This is crucial for preventing clickjacking attacks.
Default settings
By default, frameAncestors is set to 'none' to ensure maximum security, effectively blocking all embedding attempts.
USE [Kepion_System];
GO
-- WARNING: Be cautious when updating CustomContentSecurityPolicy.
-- This setting is stored as JSON. Direct updates may overwrite existing configurations.
-- Ensure that updates preserve the existing structure.
-- Check if the CustomContentSecurityPolicy key exists
IF EXISTS (
SELECT 1
FROM [dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy'
)
BEGIN
-- Dynamically merge the existing JSON with the new frameAncestors value
DECLARE @ExistingValue NVARCHAR(MAX);
SELECT @ExistingValue = [Value]
FROM [dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy';
-- Use JSON_MODIFY to safely update the frameAncestors field
UPDATE [dbo].[SystemSettings]
SET [Value] = JSON_MODIFY(@ExistingValue, '$.frameAncestors', '''none''')
WHERE [Key] = N'CustomContentSecurityPolicy';
END
ELSE
BEGIN
-- Insert new key if it doesn't exist
INSERT INTO [dbo].[SystemSettings] ([Key], [Value])
VALUES (N'CustomContentSecurityPolicy', N'{"frameAncestors": ''none''}');
END
Update header
If needed, you can update the CustomContentSecurityPolicy setting in the SystemSettings table to allow specific trusted sources to embed Kepion within an iframe. This is particularly useful when integrating Kepion into trusted environments.
To whitelist specific domains for embedding, you can set the frameAncestors value to include the allowed sources.
For example:
{
"frameAncestors": ["https://example.org:4400", "https://example.com"]
}
This configuration permits example.org and example.com to embed your app securely.
How to update header?
1. Open SSMS and connect to your database instance.
2. Execute the following statement. Make sure you replace the example sources ("https://example.org:4400", "https://example.com") with the domains you want to allow.
USE [Kepion_System];
GO
-- WARNING: Be cautious when updating CustomContentSecurityPolicy.
-- This setting is stored as JSON. Direct updates may overwrite existing configurations.
-- Ensure that updates preserve the existing structure.
-- Check if the CustomContentSecurityPolicy key exists
IF EXISTS (
SELECT 1
FROM [dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy'
)
BEGIN
-- Dynamically merge the existing JSON with the new frameAncestors value
DECLARE @ExistingValue NVARCHAR(MAX);
SELECT @ExistingValue = [Value]
FROM [dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy';
-- Use JSON_MODIFY to safely update the frameAncestors field
UPDATE [dbo].[SystemSettings]
SET [Value] = JSON_MODIFY(@ExistingValue, '$.frameAncestors', JSON_QUERY('["https://example.org", "https://example.com"]'))
WHERE [Key] = N'CustomContentSecurityPolicy';
END
ELSE
BEGIN
-- Insert new key if it doesn't exist
INSERT INTO [dbo].[SystemSettings] ([Key], [Value])
VALUES (N'CustomContentSecurityPolicy', N'{"frameAncestors": ["https://example.org", "https://example.com"]}');
END
Note: When updating CustomContentSecurityPolicy, proceed with caution as it is stored in JSON format. Direct updates can overwrite existing configurations, potentially disrupting other settings. Always ensure that your changes preserve the current JSON structure and include any pre-existing configurations.
3. Verify the changes in the SystemSettings table.
SELECT *
FROM [Kepion_System].[dbo].[SystemSettings]
WHERE [Key] = N'CustomContentSecurityPolicy';
4. Restart Kepion in IIS.