Notice about new Content Security Policy headers

The next stable release of Kobotoolbox will include new options to set Content Security Policy (CSP). CSP headers help improve your security best practices by blocking cross site scripting attacks, such as JavaScript from an unrecognized domain. To avoid breaking changes, these headers will be disabled by default. We recommend enabling the settings and provide the following new environment variables.

  • ENABLE_CSP - Set to True. Most users can set this and ignore the rest.
  • CSP_EXTRA_DEFAULT_SRC - Set to a comma separated list for any custom sources that need to be added to the default CSP policy. For example if using a service like https://analytics.example.com, set the value to https://analytics.example.com or allow an entire domain like https://*.example.com
  • CSP_REPORT_ONLY - Set to True in order to report CSP issues without actually blocking content.
  • CSP_REPORT_URI - Send CSP issues to a monitoring service like GlitchTip or csplogger which are both free, open source applications that you can run yourself. That would let you get notified if a source is blocked.

If you already set your own CSP policy, for example in nginx, you may disregard this.

These changes will be implemented in kpi and we hope to contribute them to enketo express as well. I’ll post again when the changes are released. They are not final, so please let me know any comments or suggestions. Setting CSP is a security best practice and I recommend enabling this.

4 Likes