Asset security
Overview
You can configure how a frontend canister responds to requests for specific assets by defining your
desired configuration in a file named .ic-assets.json
Each entry in .ic-assets.json
allows for specifying a glob pattern along with the headers to be returned in the response for any file that matches the pattern. You may also dictate whether redirects are performed from the non-certified endpoint to a certified endpoint for any given filename pattern.
Content Security Policies (CSP)
By default, frontend canisters created with dfx new
contain the following Content Security Policy (CSP) in the project's .ic-assets.json
file:
"Content-Security-Policy": "default-src 'self';script-src 'self';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",
This CSP includes img-src data
as data images are frequently included in frontend interfaces, and frame-ancestors: none
is used to mitigate clickjacking attacks.
Security recommendations
This default Content Security Policy aims to work with as many applications as possible rather than providing the maximum security. It is recommended that you update this policy for your application's specific needs by utilizing tools such as:
Use the CSP Evaluator tool to validate your security policy.
Follow these CSP recommendations. Note that on ICP, nonces cannot be used because the response bodies must be static to work well with HTTP asset certification.
It is recommended to include script hashes in combination with strict-dynamic in the CSP to account for not using nonces.
Tighten the
connect-src
directive, as the default CSP allows for any canister to be called viahttps://icp0.io/api/v2/canister/{canister-ID}
.Configure
style-src
,style-src-elem
andfont-src
directives instead of using the wildcard (*) option.
View more details on the default CSP.
dfx v0.21.0
and older
dfx
versions 0.21.0
and older include script-src 'unsafe-eval'
in the default security policy. This is required for older versions because previous versions of the ICP JavaScript agent used a WebAssembly module for the BLS signature validation. This has since been removed and is no longer included in the most recent versions of dfx
.
If you are using an older version of dfx
, we recommend updating your security policy to remove the script-src 'unsafe-eval'
portion.