Improve default Content-Security-Policy value (#224)

See https://github.com/h5bp/server-configs-apache/pull/181
This commit is contained in:
Léo Colombaro 2019-03-26 12:41:15 +01:00 committed by GitHub
parent d186781282
commit 276af8da7b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 8 deletions

View File

@ -8,16 +8,21 @@
# This can be done by setting a `Content Security Policy` which
# whitelists trusted sources of content for your website.
#
# The example header below allows ONLY scripts that are loaded from
# the current website's origin (no inline scripts, no CDN, etc).
# That almost certainly won't work as-is for your website!
# There is no policy that fits all websites, you will have to modify
# the `Content-Security-Policy` directives in the example depending
# on your needs.
#
# To make things easier, you can use an online CSP header generator
# such as: https://www.cspisawesome.com/.
# To make your CSP implementation easier, you can use an online CSP header
# generator such as:
# https://report-uri.com/home/generate/
#
# It is encouraged that you validate your CSP header using a CSP validator
# such as:
# https://csp-evaluator.withgoogle.com
#
# https://csp.withgoogle.com/docs/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://www.w3.org/TR/CSP3/
# https://content-security-policy.com/
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.w3.org/TR/CSP/
add_header Content-Security-Policy $content_security_policy always;

View File

@ -112,7 +112,7 @@ http {
# Add Content-Security-Policy for HTML documents.
# h5bp/security/content-security-policy.conf
map $sent_http_content_type $content_security_policy {
~*text/html "script-src 'self'; object-src 'self'";
~*text/html "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
}
# Add Referrer-Policy for HTML documents.