Using a custom login form on https & correct settings for the CSP


I am finishing up my first Surreal CMS backed site and spent last weekend locking down the security on the host, which included setting up a Content Security Policy (CSP). I still have a few tweaks to go but the site is scanning well through and I was feeling quite happy with the world. On Monday I sent out a note to the clients with the Custom Login Form address, together with their account information so they could login and see how easy editing the site was going to be. Then this afternoon, one of the clients contacted me wondering why, after entering his email and password nothing happens. Nothing at all. I figured it had to be something I had done in the CSP that was causing the issue, but as this is the first time I have designed a static https site and locked it down in this way, I wasn’t certain of what it was. Turns out that in the CSP (contained in the .htaccess file) I had set the form-action to ‘none’, so it wasn’t surprising it didn’t work. Setting the form-action to the correct hostname solved the issue. I thought I would post this just in case anyone else ends up in a similar situation. To an old hand this is probably obvious, but its all part of the learning process for me!