When running cyber security checks, the below commonly arises as a result of these checks.
Why Doesn't My Website Have a Content Security Policy (CSP)?
Primarysite does not currently enforce a Content Security Policy (CSP) across all websites. Implementing a CSP universally would limit some of the flexibility you currently enjoy when adding content to your website. Instead, we have implemented extensive security measures to protect you and your website visitors from the types of attacks CSP is designed to prevent. These measures include:
- Security-Focused Development: Our development practices prioritise security to safeguard your website.
- Annual Independent Penetration Testing: We conduct yearly penetration tests on the content management system to ensure there are no vulnerabilities.
- Weekly Vulnerability Scanning: We use a tool called Detectify to perform weekly scans of the content management system, checking for known vulnerabilities.
What is a Content Security Policy (CSP)?
A Content Security Policy (CSP) is a computer security standard designed to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by controlling what content is allowed to be loaded and executed in the browser. For example, if your CSP only permits content from your website, attempting to embed a YouTube video would result in the video not displaying, as the browser would block it.
Why is My RDP Internet-Facing?
RDP (Remote Desktop Protocol) is a service specific to Windows servers. Since all our servers run on Linux, RDP is not available and wouldn't work even if attempted.
The flagged check is a general one that scans for potential issues across both Windows and Linux environments. However, it doesn’t differentiate between server types, which is why this issue was incorrectly flagged.
Regarding Reports Flagging "Site Does Not Use Best Practices Against Embedding of Malicious Content," "Clickjacking Exposure," or "Unsafe Implementation of Subresource Integrity"
Your website is secure as it currently stands. No additional security measures can be applied without imposing strict limitations that would restrict your ability to embed documents and external content. Enforcing stricter parameters would significantly limit the functionality available to users using embedding tools.
Website Object Storage.
As we are using s3 to store website assets the resources need to be public so they can be displayed on the site.
Updated