Browser hardening roadmap for the Higher Ed Platform
- Product: Higher Ed Platform
Browser hardening roadmap for the Higher Ed Platform
Ex Libris is happy to announce a series of developments to increase security on the higher Ed Platform. These improvements will enhance the browser’s ability to detect and prevent cross-site scripts and other malicious activity. Ex Libris is committed to providing its customers with a highly secure and reliable environment for our applications. The developments will add HTTP headers to define the ‘content security policy’ as well as define the ‘HTTP Strict transport security’ of the Higher-Ed Platform. The developments are tentatively planned to be deployed between December 2021 and September 2024 and will result in an excellent security header benchmark score.
Deployment Roadmap:
December 2021 - November 2022: Implementation of Content Security Policy basics
-
Frame-ancestors: Content security policy for frame ancestors instructs the browser to block iframes embedding the higher-ed platform unless their sites are allowed-listed domains. The allowed-listed domains will be configurable in the higher-ed platform.
December 2022 – March 2024: Implementation of Content Security Policy: Level 1
-
object-src: none – This header informs the browser that the Higher-Ed platform does not use the object, embed or applet elements in it’s HTML. Any element of these types that are found in the HTML will be blocked by the browser.
-
worker-src: none - This header informs the browser that the Higher-Ed platform does not use Worker, SharedWorker, or ServiceWorker in it’s JavaScript. Any of these objects will be blocked by the browser.
-
report-uri – This header contains contact information the browser can use to report violations to our content security policy that have occurred.
-
upgrade-insecure-requests: This header instructs the browser to replace any URL that is requested with HTTP to instead be requested with HTTPS.
September 2022 – April 2022: Implementation of HTTP Strict Transport Security (HSTS)
-
Strict Transport Security – This header instructs the browser to only send requests using HTTPS to the Higher-Ed platform and prevents the browser from sending HTTP requests to the Higher-Ed platform. This policy allows the browser to detect and prevent a potential man-in-the-middle attack if a user inadvertently uses HTTP to access the Higher-Ed Platform.
April 2024 - November 2024: Implementation of Content Security Policy: Level 2
-
form-action: self - This header informs the browser that the Higher-Ed platform expects forms to be submitted back to the origin from where the form was served. This policy prevents information from being inadvertently posted to a different site.
-
base-uri: self – This header informs the browser that the Higher-Ed platform expects the ‘base’ HTML element to not retrieve it’s content from any source other than the Higher-Ed platform.
-
script-src: 'self' 'unsafe-inline' 'unsafe-eval' ‘{allowed-listed domains}’ - This header informs the browser that the Higher-Ed platform expects JavaScript to not be retrieved from any source other than the Higher-Ed platform, inline, or a specified list of other domains
- frame-src: ‘self’ ‘{allowed-listed domains}’ - This header informs the browser that the Higher-Ed platform expects all HTML element of type ‘Frame’ to not retrieve it’s content from a source other than the Higher-Ed platform or a specified list of other domains
-
connect-src: ‘self’ ‘{allowed-listed domains}’ – This header informs the browser that the only source of data to retrieve data from using script interfaces such as AJAX or fetch() are the Higher-Ed platform or from a specified list of other domains
November 2024: All CSP header directives will be available for configuration. For details see Security.
- Article last edited: 13-Dec-2023