2018-11-23 17:14:15 +01:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
# | Content Security Policy (CSP) |
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
# Mitigate the risk of cross-site scripting and other content-injection
|
|
|
|
|
# attacks.
|
|
|
|
|
#
|
2020-12-29 19:20:35 +01:00
|
|
|
# This can be done by setting a Content Security Policy which permits
|
2019-05-15 18:38:05 +02:00
|
|
|
# trusted sources of content for your website.
|
2018-11-23 17:14:15 +01:00
|
|
|
#
|
2019-05-15 18:38:05 +02:00
|
|
|
# There is no policy that fits all websites, you will have to modify the
|
|
|
|
|
# `Content-Security-Policy` directives in the example depending on your needs.
|
2018-11-23 17:14:15 +01:00
|
|
|
#
|
2019-03-26 12:41:15 +01:00
|
|
|
# To make your CSP implementation easier, you can use an online CSP header
|
|
|
|
|
# generator such as:
|
|
|
|
|
# https://report-uri.com/home/generate/
|
2018-11-23 17:14:15 +01:00
|
|
|
#
|
2019-03-26 12:41:15 +01:00
|
|
|
# It is encouraged that you validate your CSP header using a CSP validator
|
|
|
|
|
# such as:
|
|
|
|
|
# https://csp-evaluator.withgoogle.com
|
|
|
|
|
#
|
|
|
|
|
# https://www.w3.org/TR/CSP/
|
2021-06-14 12:38:26 +02:00
|
|
|
# https://owasp.org/www-project-secure-headers/#content-security-policy
|
|
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
|
|
|
|
# https://developers.google.com/web/fundamentals/security/csp
|
|
|
|
|
# https://content-security-policy.com/
|
2018-11-23 17:14:15 +01:00
|
|
|
|
2019-02-10 20:46:58 +01:00
|
|
|
add_header Content-Security-Policy $content_security_policy always;
|
