server-configs-nginx/h5bp/security/content-security-policy.conf

# ----------------------------------------------------------------------
# | Content Security Policy (CSP)                                      |
# ----------------------------------------------------------------------

# Mitigate the risk of cross-site scripting and other content-injection
# attacks.
#
# This can be done by setting a `Content Security Policy` which
# whitelists trusted sources of content for your website.
#
# There is no policy that fits all websites, you will have to modify
# the `Content-Security-Policy` directives in the example depending
# on your needs.
#
# To make your CSP implementation easier, you can use an online CSP header
# generator such as:
# https://report-uri.com/home/generate/
#
# It is encouraged that you validate your CSP header using a CSP validator
# such as:
# https://csp-evaluator.withgoogle.com
#
# https://csp.withgoogle.com/docs/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.w3.org/TR/CSP/

add_header Content-Security-Policy $content_security_policy always;
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# ----------------------------------------------------------------------`
			`# \| Content Security Policy (CSP) \|`
			`# ----------------------------------------------------------------------`

			`# Mitigate the risk of cross-site scripting and other content-injection`
			`# attacks.`
			`#`
			# This can be done by setting a `Content Security Policy` which
			`# whitelists trusted sources of content for your website.`
			`#`
Improve default Content-Security-Policy value (#224) See https://github.com/h5bp/server-configs-apache/pull/181 2019-03-26 12:41:15 +01:00			`# There is no policy that fits all websites, you will have to modify`
			# the `Content-Security-Policy` directives in the example depending
			`# on your needs.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
Improve default Content-Security-Policy value (#224) See https://github.com/h5bp/server-configs-apache/pull/181 2019-03-26 12:41:15 +01:00			`# To make your CSP implementation easier, you can use an online CSP header`
			`# generator such as:`
			`# https://report-uri.com/home/generate/`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
Improve default Content-Security-Policy value (#224) See https://github.com/h5bp/server-configs-apache/pull/181 2019-03-26 12:41:15 +01:00			`# It is encouraged that you validate your CSP header using a CSP validator`
			`# such as:`
			`# https://csp-evaluator.withgoogle.com`
			`#`
			`# https://csp.withgoogle.com/docs/`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy`
			`# https://www.html5rocks.com/en/tutorials/security/content-security-policy/`
Improve default Content-Security-Policy value (#224) See https://github.com/h5bp/server-configs-apache/pull/181 2019-03-26 12:41:15 +01:00			`# https://www.w3.org/TR/CSP/`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00
Switch from location directives to maps based on MIME-types * Expire * X-XSS-Protection * X-Frame-Options * X-UA-Compatible * Content-Security-Policy * Access-Control-Allow-Origin 2019-02-10 20:46:58 +01:00			`add_header Content-Security-Policy $content_security_policy always;`