New in Cerberus FTP Server 12.7 Enterprise Edition is a tightening of security settings in the Web Administration and Web Client features. As part of our increased focus on security best practices, this change reduces cross-site scripting attack surfaces by strengthening the Content Security Policy.

What is a Content Security Policy?

A Content Security Policy (CSP) is a feature of modern browsers that restricts functionality on a webpage. Web developers use this feature to restrict the browser to only loading content known to and trusted by the application. CSP uses a set of rules that define how the browser restricts that content. These rules are defined by the application and delivered to the browser in an HTTP Header named Content-Security-Policy.

What’s Changed?

We’ve taken two steps to improve the security of our web-based applications. First, we updated our code to more closely follow best-practices. For instance, moving in-line JavaScript into stand-alone .js files for all of our webpages. These improvements enabled us to implement the second step, defining a more restrictive (thus safer) security policy for our applications. Specifically, we removed the ‘unsafe-inline’ keyword from our policy to tell the browser to ignore any script that wasn’t served directly from a file.  This means malicious scripts inserted into HTML will simply not run, making Cerberus FTP Server safer from exploitation.

Settings & Configuration

The CSP that works for our applications is static and predefined. It is displayed for informational purposes under Server Manager / Protocols / HTTP And HTTPS / Advanced HTTP/S 

As long as this box is checked, Cerberus FTP Server sends a CSP header while serving pages to all users. The option to disable the CSP header is provided only as a precaution; it is extremely rare for end-users to encounter problems caused by CSP.

Further Readings

The most relevant changes to the Content-Security-Policy header are the separation of use of the ‘default-src’ value, the addition of a ‘style-src’ value, and removal of ‘unsafe-inline’ from ‘script-src’.

A reference as to how this affects web pages may be found at https://content-security-policy.com/ or https://en.wikipedia.org/wiki/Content_Security_Policy

Conclusion

The new changes to the CSP in Cerberus FTP Server 12.7 provide an additional layer of security against unauthorized scripts executing within a client’s browser.  While we already implement a variety of measures in Cerberus to ensure browsers are protected from malicious activity, the CSP provides another safeguard to help keep systems safe. 

If there are any other questions or concerns, please feel free to contact us or give us feedback on your Cerberus FTP Server.