Skip to main content

Asset security

Intermediate
Concept

You can configure how a frontend canister responds to requests for specific assets by defining your desired configuration in a file named .ic-assets.json Each entry in .ic-assets.json allows for specifying a glob pattern along with the headers to be returned in the response for any file that matches the pattern. You may also dictate whether redirects are performed from the non-certified endpoint to a certified endpoint for any given filename pattern.

Content Security Policies (CSP)

By default, frontend canisters created with dfx new contain the following Content Security Policy (CSP) in the project's .ic-assets.json file:

"Content-Security-Policy": "default-src 'self';script-src 'self';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';style-src-elem * 'unsafe-inline';font-src *;object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",

This CSP includes img-src data as data images are frequently included in frontend interfaces, and frame-ancestors: none is used to mitigate clickjacking attacks.

Security recommendations

This default Content Security Policy aims to work with as many applications as possible rather than providing the maximum security. It is recommended that you update this policy for your application's specific needs by utilizing tools such as:

  • Use the CSP Evaluator tool to validate your security policy.

  • Follow these CSP recommendations. Note that on ICP, nonces cannot be used because the response bodies must be static to work well with HTTP asset certification.

  • It is recommended to include script hashes in combination with strict-dynamic in the CSP to account for not using nonces.

  • Tighten the connect-src directive, as the default CSP allows for any canister to be called via https://icp0.io/api/v2/canister/{canister-ID}.

  • Configure style-src, style-src-elem and font-src directives instead of using the wildcard (*) option.

View more details on the default CSP.

dfx v0.21.0 and older

dfx versions 0.21.0 and older include script-src 'unsafe-eval' in the default security policy. This is required for older versions because previous versions of the ICP JavaScript agent used a WebAssembly module for the BLS signature validation. This has since been removed and is no longer included in the most recent versions of dfx.

If you are using an older version of dfx, we recommend updating your security policy to remove the script-src 'unsafe-eval' portion.

Resources