gaja-group
/
server-configs-nginx
mirror of https://github.com/h5bp/server-configs-nginx
2
0
Fork 0
Code Issues Releases Wiki Activity

Make `Content-Security-Policy` disallow 'object-src' by default 

Ref https://github.com/h5bp/server-configs-apache/issues/190
This commit is contained in:
Léo Colombaro 2021-06-28 14:28:44 +02:00
parent b9ef881d62
commit 8600df1018
No known key found for this signature in database
GPG Key ID: 687B480A6D4F735F
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nginx.conf
View File

@ -105,7 +105,7 @@ http {
# Add Content-Security-Policy for HTML documents.
# h5bp/security/content-security-policy.conf
map $sent_http_content_type $content_security_policy {
~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests";
}
# Add Referrer-Policy for HTML documents.