Reputation: 31
How do you set a content security policy in Apache to block form posts from all external sources?
I have a form that will accept a form post from self and external sources. How do I enter the correct syntax in Apache/2.4.29 (Ubuntu) web server to block form posts from all external sources? I have the following already setup in my apache config file and have restarted apache without errors:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
Header set Content-Security-Policy "form-action 'self'"
DocumentRoot /home/michael/public_html
But when I test posting to it from an external site, it is still accepting it. I know this because the input field contains the same value that I entered in the external form. I am using Brave 1.73 to test.
Upvotes: 0
Views: 37
Answers (1)
Reputation: 3475
Form-action controls where a form can post to, not where it can receive posts from. Your problem could possibly be solved by a cookie with a SameSite restriction set to Strict or Lax. If you set this cookie on the form page it will only be included when the form is posted from your site, not when it is posted from other sites. If this cookie is not present, you should reject the form input.
Upvotes: 1
Related Questions
- Allow All Content Security Policy?
- Content Security Policy: allowing all external images?
- How does Content Security Policy (CSP) work?
- Setting Content Security Policy in Apache web server
- Content security policy: how to allow more external sources
- Content Security Policy not allowing form submission
- Content-Security-Policy will not load images from external sources in React
- Does Content Security Policy block bookmarklets?