New in Cerberus FTP Server 12.7 Enterprise Edition is a tightening of security settings in the Web Administration and Web Client features. As part of our increased focus on security best practices, this change reduces cross-site scripting attack surfaces by strengthening the Content Security Policy.
What is a Content Security Policy?
A Content Security Policy (CSP) is a feature of modern browsers that restricts functionality on a webpage. Web developers use this feature to restrict the browser to only loading content known to and trusted by the application. CSP uses a set of rules that define how the browser restricts that content. These rules are defined by the application and delivered to the browser in an HTTP Header named Content-Security-Policy.
Settings & Configuration
The CSP that works for our applications is static and predefined. It is displayed for informational purposes under Server Manager / Protocols / HTTP And HTTPS / Advanced HTTP/S
As long as this box is checked, Cerberus FTP Server sends a CSP header while serving pages to all users. The option to disable the CSP header is provided only as a precaution; it is extremely rare for end-users to encounter problems caused by CSP.
The most relevant changes to the Content-Security-Policy header are the separation of use of the ‘default-src’ value, the addition of a ‘style-src’ value, and removal of ‘unsafe-inline’ from ‘script-src’.
A reference as to how this affects web pages may be found at https://content-security-policy.com/ or https://en.wikipedia.org/wiki/Content_Security_Policy
The new changes to the CSP in Cerberus FTP Server 12.7 provide an additional layer of security against unauthorized scripts executing within a client’s browser. While we already implement a variety of measures in Cerberus to ensure browsers are protected from malicious activity, the CSP provides another safeguard to help keep systems safe.
If there are any other questions or concerns, please feel free to contact us or give us feedback on your Cerberus FTP Server.