Home
Support Forums

Several questions for clarification, namecheap DNS, netlify DNS ipv4/6, DNSSEC, Content-Security-Policy and internet.nl score

Hello,

Firstly, thank you for providing is service and support forums. I am very grateful for Netlify and this community for providing a place to learn.

Secondly, I have a few question I’d just like to clarify and would like to apologize preemptively if I am misuse terminology or say word something in correctly.

I have a namecheap account where I purchased my domain. I host my site on github and have forked a theme that I like a lot.

Please correct me if I am wrong. From what I understand is that if I have NetLify DNS (which has ipv4 and ipv6) then DNSSEC is not supported?

Is there any way to get a score of 100% using namecheap, github and netlify?

Also is there any way someone may please help me with my Content-Security-Policy, I’m afraid I don’t quite understand how to make it work correctly.

The Hugo theme I am using is GitHub - ronv/listed: Minimalistic, clean and simple design Hugo theme
And my site should look like this https://listed-hugo.netlify.app/
But instead it look like this https://akc3n.netlify.app
Using Report URI: Generate your Content Security Policy for my akc3ndotorg/netlify.toml at main · akc3n/akc3ndotorg · GitHub

Thank you for taking a look at my question(s). I appreciate your time and help.

Github repo: GitHub - akc3n/akc3ndotorg: testing this currently
Netlify site name: akc3n.netlify.app
Domain: https://akc3n.org

Thank you for the kind words (though more credit goes to my teammates @hillary and @perry who are in charge of the forums for the work they do every day, as a Support + Forums team we celebrate the wins together :)). In the end, we are glad to see you here, @akc3n , and are happy for the opportunity to not just give you tech support (don’t worry, our staff does get compensated for this time!) but also share answers that could help future explorers be able to self serve on the same topic.

One thing we are proud of here is that this isn’t stack overflow. I use stackoverflow every day, but I see those kind of toxic comments every day - “you asked wrong.” “your question displays your ignorance” (duh, I am asking the question to learn!) - and we strive to be the opposite so I hope we never make you feel bad about how you ask or what you ask. But we do appreciate our diligence in asking the best questions possible, which it is clear you have done since you set context so well and were thorough in your ask. Kudos!

That said, we’re not in control of what the tests at internet.nl test, and in particular I don’t personally understand content-security-policy HTTP response headers enough to understand if the ding I see on netlify.com when I test it, is:

  • a problem
  • or would apply to your sites

We’ll leave this thread open to find someone else who can better speak to the CSP question, but you asked about DNS, and that I can speak authoritatively to!

Unfortunately your statements are correct (rare to say that but I am sad to agree with you):

  • our DNS hosting does not support DNSSEC
  • not using our DNS hosting makes it very hard to have ipv6 on your bare domain, since we don’t provide an ipv6 load balancer

GitHub doesn’t really factor into the score there :slight_smile:

I guess the best “mix” you can get of our features vs their grading would be:

  • host your DNS elsewhere (e.g. namecheap)
  • use a CNAME for www.akc3n.org to point to sitename.netlify.app - that will provide ipv6 answers when available, which is the case in most but not all of our datacenters. But, this won’t help for the bare domain akc3n.org
  • change your primary custom domain to www.akc3n.org instead of akc3n.org, as this will allow you to actually use our CDN with external DNS hosting.

That will let you use DNSSEC (with a presumably-DNSSEC capable DNS host), and give you IPv6 on the domain your visitors end up on (www, rather than bare domain).

Nothing you can do, on Netlify, will guarantee a score of 100 today or in the future on that tool. However, most of these tools providing scores are advisory and sometimes the tools disagree with “how we do things”, so we aren’t trying to get 100% in how we build our product (for instance, that tool claims that our server supporting compression - which vastly speeds up your site load - could be a security problem. We 100% disagree with that assessment, and they’d have a very hard time convincing us otherwise. Perhaps that is the case on some server somewhere, but we are pretty confident, not ours.) It’s a good thing to get the best score you can, but it is rarely (in my 5 years of being asked questions about performance metrics at this company + a 27 year career of thinking about the same topic) the case that being under 100% is a major problem.

Also - apologies but I didn’t understand what you meant by:

And my site should look like this https://listed-hugo.netlify.app/
But instead it look like this https://akc3n.netlify.app

What exactly looks wrong to you?

4 Likes

Hi,

Thank you so much for making me feel welcome and I appreciate the time plus effort you put into explaining everything to me. It certainly clarifies everything I was inquiring about.

What exactly looks wrong to you?

The problem here is that the original theme looks like this, with no Content-Security-Policy in headers:

While mine does look exactly the same if I only comment out
Content-Security-Policy = "default-src 'none'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; frame-ancestors 'none'; form-action 'none'; block-all-mixed-content; base-uri 'none';"
And
Referrer-Policy = 'strict-origin-when-cross-origin'
In my akc3ndotorg/netlify.toml at main · akc3n/akc3ndotorg · GitHub

Hoeever, I don’t know I would correctly apply a CSP to load all the styles and functions.

Hi @akc3n

This is referring specifically to the shortcut icon which is not has no src as it is a base64 string. I am not overly familiar with CSP, however based on this post on Stack Overflow (and linked W3C Working Draft) I believe you need to change

img-src 'self';

to

img-src 'self' data:;

to explicitly allow the loading of icon. The original https://listed-hugo.netlify.app has no CSP headers so.

Edit:

The solution for the inline styles not rendering is mentioned in the console message. One method it to have

<style nonce="2726c7f26c">
/* Styles */
</style>

coupled with a CSP

style-src 'self' 'nonce-2726c7f26c';

This is further explained here: CSP: style-src - HTTP | MDN.

1 Like

Thank you so much @coelmay,

That was the solution that was needed to fix my issue, which also lead to finding more resources and documentation that covers more questions I had.

I really appreciate you taking the time to help me with this and opening the door to more knowledge. Thank you both, @coelmay and @fool