[Geomoose-users] Advice on securing a GeoMoose application

[Bistrais, Bob]

Hi again folks,

I sent my security report to Dan and it looks like many of the problems are Apache related.  I've made some progress on that front.  A problem I can't seem to resolve now is the issue of Content Security Policy headers.  This is actually a Dojo problem but wondering if anyone's had the same problem and can advise.  
I tried setting a content security policy on the Apache http.conf file as follows:
Header set Content-Security-Policy: "default-src 'self' http://dojotoolkit.org; script-src 'self' http://dojotoolkit.org"

-But when I try to load the application I get an error with Dojo.  In FireBug this is the error:

Error: call to Function() blocked by CSP
	...op=Object.prototype,_97=op.toString,_98=new Function,_99=0,_9a="constructor";fun..

-Any ideas?

Thanks again,
BB

-----Original Message-----
From: Dan Little [mailto:theduckylittle at gmail.com] 
Sent: Wednesday, January 13, 2016 1:18 PM
To: Bistrais, Bob
Cc: geomoose-users at lists.osgeo.org
Subject: Re: [Geomoose-users] Advice on securing a GeoMoose application

Hey Bob,

Not sure any of these are directly GeoMOOSE.

A lot of those are generic errors that can be addressed but we (I) would need a lot more information about their scanner found.



On Tue, Jan 12, 2016 at 10:52 AM, Bistrais, Bob <Bob.Bistrais at maine.gov> wrote:
> Hi all,
>
>
>
> I’m working through a Deployment Certification on one of my GeoMoose 
> applications.  Our web security folks sent me back a report of the 
> security scan.  Issues include cross-site scripting, directory 
> listings, link injection, phishing through frames, and others.
>
>
>
> Within the context of the GeoMoose architecture, can anyone provide 
> advice, or direct me to a good resource, on how to address those kinds of issues?
>
>
>
> Thanks,
>
> Bob
>
>
> _______________________________________________
> Geomoose-users mailing list
> Geomoose-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/geomoose-users