HubSpot Content Security Policy (CSP) Trust and Safety Issue

SOLVE
theAndreyK
Contributor | Partner
When I run Google Lighthouse, I get a warning about needing a strong Content Security Policy (CSP). (see below) 
 
It looks like a <meta> tag can be used but a secure version requires generating a hash on the server.
 
Is this something I can implement?
Is this something HubSpot needs to update?
 
Trust and Safety
Ensure CSP is effective against XSS attacks
A strong Content Security Policy (CSP) significantly reduces the risk of cross-site scripting (XSS) attacks. Learn more
DescriptionDirectiveSeverity
script-src directive is missing. This can allow the execution of unsafe scripts.
script-src
High
Elements controlled by object-src are considered legacy features. Consider setting object-src to 'none' to prevent the injection of plugins that execute unsafe scripts.
object-src
High
No CSP configures a reporting destination. This makes it difficult to maintain the CSP over time and monitor for any breakages.
report-uri
Medium
0 Upvotes
1 Accepted solution

Accepted Solutions
miljkovicmisa
Solution
Top Contributor | Gold Partner

Hello @theAndreyK , interesting topic, though I'm not a sequrity expert and thus I cannot provide you with full-scale information about this, I guess this page covers most of the basic stuff about security and the particular section in this link covers exactly your question regarding CSP.

I also did some google search regarding xss handling in hubspot and stumblet upon this interesting article. It's an incident with hubspot's security and their quick response regarding the issue.

Also other people on the community have talked about this as it does downgrade the sites performance scores, here is a link in the forums with a great answer regarding how hubspot secures your site and why some things are not the default.

It is not possible to mess with the headers that hubspot sets, but if you have the cms hub enterprise you are covered regarding the CSP as you can define it in the domain settings.

P.S.: I wouldn't go with the meta tags as they are easy to fool if something runs before they are rendered.

Hope I gave you other directions to get info, if my answer was helpful please mark it as a solution.

👋 @dennisedson 

View solution in original post

3 Replies 3
dennisedson
Community Manager

@theAndreyK , asking around.

@miljkovicmisa , curious if you have any ideas here as well.

Thanks,

Dennis




Check out our Community Developer Blog
where we feature our Community driven developer podcast and how to content
0 Upvotes
miljkovicmisa
Solution
Top Contributor | Gold Partner

Hello @theAndreyK , interesting topic, though I'm not a sequrity expert and thus I cannot provide you with full-scale information about this, I guess this page covers most of the basic stuff about security and the particular section in this link covers exactly your question regarding CSP.

I also did some google search regarding xss handling in hubspot and stumblet upon this interesting article. It's an incident with hubspot's security and their quick response regarding the issue.

Also other people on the community have talked about this as it does downgrade the sites performance scores, here is a link in the forums with a great answer regarding how hubspot secures your site and why some things are not the default.

It is not possible to mess with the headers that hubspot sets, but if you have the cms hub enterprise you are covered regarding the CSP as you can define it in the domain settings.

P.S.: I wouldn't go with the meta tags as they are easy to fool if something runs before they are rendered.

Hope I gave you other directions to get info, if my answer was helpful please mark it as a solution.

👋 @dennisedson 

View solution in original post

theAndreyK
Contributor | Partner

Thanks for the reply.

 

HubSpot should really cover this with the regular CMS plan. Security should not be a feature. 

0 Upvotes