A reasonable CSP (Content Security Policy) for shiny applications

adisarid · August 7, 2023, 1:04pm

I want to keep my shiny applications secure and reduce the risk of cross-site-scripting, and other code injection attacks.

I understand that defining a strict CSP can mitigate such risks; however, it also breaks the functionality of shiny.
I tried using a CSP header of script-src 'self';but it breaks shiny's functionality. Using script-src 'self' 'unsafe-inline' 'unsafe-eval'; works, but from what I read, I presume it is too vulnerable.

What would be a reasonable CSP that actually works?

I'm using shiny server (open source) v1.5.12.933, and Nginx/1.14.0.

tommy_shintolabs · September 21, 2023, 12:21pm

I'm having the same issue. Does anyone have an answer to this question ?

adisarid · September 21, 2023, 1:08pm

I was just at the posit::conf and completely forgot to ask this. @winston do you have an idea who can help with this?

system · November 14, 2023, 5:08pm

This topic was automatically closed 54 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.