# ---------------------------------------------------------------------- # | Content Security Policy (CSP) | # ---------------------------------------------------------------------- # Mitigate the risk of cross-site scripting and other content-injection # attacks. # # This can be done by setting a Content Security Policy which permits # trusted sources of content for your website. # # There is no policy that fits all websites, you will have to modify the # `Content-Security-Policy` directives in the example depending on your needs. # # To make your CSP implementation easier, you can use an online CSP header # generator such as: # https://report-uri.com/home/generate/ # # It is encouraged that you validate your CSP header using a CSP validator # such as: # https://csp-evaluator.withgoogle.com # # https://csp.withgoogle.com/docs/ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy # https://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.w3.org/TR/CSP/ add_header Content-Security-Policy $content_security_policy always;