Header Content security

[dauzeine]

Hello everyone,
in order to improve the security of my chamilo platform, I configured, in the VirtualHost, same mod_headers lines. One is particularly tricky for me, "Header always set Content-Security-Policy".
In script-src, I added my chamilo url. But it's not enough, as chamilo certainly asks scripts to run from other sites...

Does some configure any chamilo platform with mod-headers active?
david

[ywarnier]

Hi @dauzeine

Your case is not super detailed. There is a whole section called "HTTP headers security" in main/install/configuration.dist.php allowing you to configure these headers. As far as I know, there's no additional need to configure them through mod_headers, but you might prefer this way.

On the other side, we strive to depend on the least amount of external resources in Chamilo, so except if you are using a CSS with custom fonts loaded directly from Google, for example, the impact on Chamilo should be minor (you can probably not use the pixelizr widget to edit pictures in the documents tool and a few other sub-tools in documents, but that's about it. I'm answering to the best of my knowledge without checking the code.

[dauzeine]

Thanks Yannick for your quick reply.
script-src, in the configuration.dist.php or in my VirtualHost, blocks some of the features of chamilo (in the Document part for example, see another post).
Sorry, I read my previous post, and it was no very clear. I try to achieve to have a A+ in some security tests... If I find a "good" script-src config, I will tell you.
Thank you as usual, and I am thrilled to see chamilo2!
david