Hello ,
Does any one know how to solve this problem? I scan my moodle site using ZAP scanner , then it occur src unsafe-hashes , unsafe inline , script-src unsafe-eval , which is because of YUI?
How can I solve these ? Thank you very much!
I am not sure how you can expect anyone to know this without a lot more information - what do the results actually point to? What version of Moodle? How is your site set up - hosted/on own server/os etc etc? Any other sites with the Moodle site?
I wouldn't really classify CWE ID: 693 ( https://www.zaproxy.org/docs/alerts/10055-4/ ) as a high level risk ...
ZAP is a great open-source tool for discovering web server misconfigurations, security vulnerabilities, and PCI/DSS compliance issues. However, the issue you reported is unrelated to Moodle or its version. While Moodle is great software, your server is not properly configured. Please focus on reconfiguring your web server to use the correct Content Security Policy (CSP) headers.
I will write instructions for open source server software/OS systems such as Apache server running on Linux (e.g., Rocky, Alma, CentOS) exclusively:
1. Edit the /etc/httpd/conf/httpd.conf file.
2. Find, edit or add the following:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
</IfModule>
ZAP is a great open-source tool for discovering web server misconfigurations, security vulnerabilities, and PCI/DSS compliance issues. However, the issue you reported is unrelated to Moodle or its version. While Moodle is great software, your server is not properly configured. Please focus on reconfiguring your web server to use the correct Content Security Policy (CSP) headers.
I will write instructions for open source server software/OS systems such as Apache server running on Linux (e.g., Rocky, Alma, CentOS) exclusively:
1. Edit the /etc/httpd/conf/httpd.conf file.
2. Find, edit or add the following:
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
</IfModule>
3. Save and exit.
4. Check your server configuration with: sudo apachectl configtest
5. If the syntax is OK, run: sudo /sbin/service httpd graceful
6. Finally, start a new ZAP session, and the medium-level warning should disappear.
Be sure to test in a QA or staging environment first, especially if you're using a non-standard Moodle theme other than Boost, as it may affect site functionality, such as the main navigation. Remove any inline CSS added to Moodle's additional html page ... And it's good to know you can set different header policies for any Moodle page on your server level, but this process may take some time ...
Defiantly learn more about security: https://owasp.org/www-project-secure-headers/#tab=Headers and https://owasp.org/www-project-secure-headers/ci/headers_add.json
4. Check your server configuration with: sudo apachectl configtest
5. If the syntax is OK, run: sudo /sbin/service httpd graceful
6. Finally, start a new ZAP session, and the medium-level warning should disappear.
Be sure to test in a QA or staging environment first, especially if you're using a non-standard Moodle theme other than Boost, as it may affect site functionality, such as the main navigation. Remove any inline CSS added to Moodle's additional html page ... And it's good to know you can set different header policies for any Moodle page on your server level, but this process may take some time ...
Defiantly learn more about security: https://owasp.org/www-project-secure-headers/#tab=Headers and https://owasp.org/www-project-secure-headers/ci/headers_add.json