2018-11-23 17:14:15 +01:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
# | Content Security Policy (CSP) |
|
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
# Mitigate the risk of cross-site scripting and other content-injection
|
|
|
|
|
# attacks.
|
|
|
|
|
#
|
|
|
|
|
# This can be done by setting a `Content Security Policy` which
|
|
|
|
|
# whitelists trusted sources of content for your website.
|
|
|
|
|
#
|
|
|
|
|
# The example header below allows ONLY scripts that are loaded from
|
|
|
|
|
# the current website's origin (no inline scripts, no CDN, etc).
|
|
|
|
|
# That almost certainly won't work as-is for your website!
|
|
|
|
|
#
|
|
|
|
|
# To make things easier, you can use an online CSP header generator
|
|
|
|
|
# such as: https://www.cspisawesome.com/.
|
|
|
|
|
#
|
|
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
|
|
|
|
# https://www.w3.org/TR/CSP3/
|
|
|
|
|
# https://content-security-policy.com/
|
|
|
|
|
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
|
|
|
|
|
|
2019-02-10 20:46:58 +01:00
|
|
|
add_header Content-Security-Policy $content_security_policy always;
|
