{"id":2441,"date":"2022-07-27T20:01:28","date_gmt":"2022-07-27T18:01:28","guid":{"rendered":"https:\/\/www.h-hennes.fr\/blog\/?p=2441"},"modified":"2022-08-17T08:15:54","modified_gmt":"2022-08-17T06:15:54","slug":"prestashop-ameliorer-la-securite-de-votre-site-avec-les-csp","status":"publish","type":"post","link":"https:\/\/www.h-hennes.fr\/blog\/2022\/07\/27\/prestashop-ameliorer-la-securite-de-votre-site-avec-les-csp\/","title":{"rendered":"Prestashop : Am\u00e9liorer la s\u00e9curit\u00e9 de votre site avec les csp"},"content":{"rendered":"\n

Les C<\/strong>ontent S<\/strong>ecurity P<\/strong>olicies ( CSP ) vous permettent d’am\u00e9liorer la s\u00e9curit\u00e9 de votre site web et d’\u00e9viter les injections de contenus externes.
J’avais d\u00e9j\u00e0 fait un article sur leur utilit\u00e9 il y’a quelques ann\u00e9es dans le cadre du passage au https : D\u00e9tecter vos contenus mixtes avec les CSP<\/a>
Je ne vais pas parapher plus en d\u00e9tails leurs fonctionnement car il existe de tr\u00e8s bonnes ressources sur le sujet :<\/p>\n

https:\/\/developer.mozilla.org\/fr\/docs\/Web\/HTTP\/CSP<\/a> (FR)
https:\/\/content-security-policy.com\/<\/a> (EN)<\/p>\n

Il est important de noter tout de m\u00eame qu’il existe plusieurs modes de CSP avec des noms assez explicites :
Content-Security-Policy<\/em> : Le fonctionnement normal
Content-Security-Policy-Report-Only<\/em> : Fonctionnement \u00ab\u00a0Debug\u00a0\u00bb qui permets de r\u00e9cup\u00e9rer les erreurs et avertissements en vue d’une correction.<\/p>\n\n\n\n

Impl\u00e9mentation dans Prestashop<\/h3>\n\n\n\n

Pour l’impl\u00e9menter dans Prestashop nous allons d\u00e9finir les CSP via un header http que nous pourrons d\u00e9finir directement en php
Pour cela il est possible d’utiliser le hook ActionControllerInitBefore<\/strong> qui est appel\u00e9 assez t\u00f4t dans le workflow de l’ensemble des controllers ( Front \/ Back )
Voici comment je l’ai impl\u00e9ment\u00e9 :<\/p>\n\n\n\n

\n\/**\n     * Avant l'initialisation du controller on va d\u00e9finir les CSP\n     * @param array $params\n     * @return void\n     * @throws PrestaShopException\n     *\/\n    public function hookActionControllerInitBefore(array $params): void\n    {\n        if (Configuration::get($this->configPrefix . 'ENABLE')) {\n            $cspHeader = $this->getCspHeaders();\n            if (!empty($cspHeader)) {\n                if (Configuration::get($this->configPrefix . 'MODE') != self::CSP_MODE_REPORT_ONLY) {\n                    header(\"Content-Security-Policy: \" . $cspHeader);\n                }\n                if (Configuration::get($this->configPrefix . 'MODE') != self::CSP_MODE_BLOCK) {\n                    $cspHeader .= \" report-uri \" . $this->getCspReportUri();\n                    header(\"Content-Security-Policy-Report-Only: \" . $cspHeader);\n                }\n            }\n        }\n    }\n<\/pre>\n\n\n\n
C’est le seul code qui est n\u00e9cessaire pour g\u00e9rer les CSP.
Afin de vous faciliter la t\u00e2che j’ai cr\u00e9\u00e9 un nouveau module qui permets de les configurer directement depuis l’administration.

Attention dans un premier temps configurer le module en mode \u00ab\u00a0Rapport Uniquement\u00a0\u00bb<\/strong>

L’objectif de cet article n’est pas de vous apprendre quoi mettre dans les diff\u00e9rents champs, pour cela je vous renvoie vers le site https:\/\/content-security-policy.com\/<\/a> (EN) qui d\u00e9taille \u00e0 quoi servent les diff\u00e9rentes politiques.

Afin de pouvoir d\u00e9buguer, il y’a en bas de la page de configuration un aper\u00e7u des CSP g\u00e9n\u00e9r\u00e9es <\/p>\n\n\n\n
\"\"<\/a>
Configuration des CSP dans le back office de prestashop<\/figcaption><\/figure>\n\n\n\n
\"\"<\/a>
Pr\u00e9visualisation des CSP g\u00e9n\u00e9r\u00e9es \u00e0 partir de la configuration saisie dans le back office de Prestashop<\/figcaption><\/figure>\n\n\n\n
Une fois la premi\u00e8re version de votre configuration CSP termin\u00e9e, attendez quelques jours, puis vous pouvez vous assurer que tout fonctionne correctement en regardant dans l’onglet \u00ab\u00a0Logs\u00a0\u00bb, de la configuration du module.
Celui-ci va lire le contenu du fichier de logs qui contient l’ensemble des alertes.<\/p>\n\n\n\n
\"\"<\/a>
Exemple de log d’alerte CSP<\/figcaption><\/figure>\n\n\n\n
En fonction des diff\u00e9rentes urls vous pouvez ensuite les autoriser ou non.
Une fois cette p\u00e9riode pass\u00e9e, vous pouvez activer les 2 modes du module afin de bloquer r\u00e9ellement les ressources non souhait\u00e9es, tout en conservant les logs des probl\u00e8mes rencontr\u00e9s<\/p>\n\n\n\n
T\u00e9l\u00e9charger le module complet ( et gratuit ) sur la boutique<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Les Content Security Policies ( CSP ) vous permettent d’am\u00e9liorer la s\u00e9curit\u00e9 de votre site web et d’\u00e9viter les injections de contenus externes.J’avais d\u00e9j\u00e0 fait un article sur leur utilit\u00e9 il y’a quelques ann\u00e9es dans le cadre du passage au https : D\u00e9tecter vos contenus mixtes avec les CSPJe ne vais pas parapher plus en […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[245],"tags":[488,104],"class_list":["post-2441","post","type-post","status-publish","format-standard","hentry","category-prestashop-2","tag-csp","tag-prestashop","prestashop-1-6","prestashop-1-7","prestashop-8-0"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/2441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/comments?post=2441"}],"version-history":[{"count":5,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/2441\/revisions"}],"predecessor-version":[{"id":4658,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/2441\/revisions\/4658"}],"wp:attachment":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/media?parent=2441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/categories?post=2441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/tags?post=2441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}