# ---------------------------------------------------------------------- # | Content Security Policy (CSP) | # ---------------------------------------------------------------------- # Mitigate the risk of cross-site scripting and other content-injection # attacks. # # This can be done by setting a `Content Security Policy` which # whitelists trusted sources of content for your website. # # The example header below allows ONLY scripts that are loaded from # the current website's origin (no inline scripts, no CDN, etc). # That almost certainly won't work as-is for your website! # # To make things easier, you can use an online CSP header generator # such as: https://www.cspisawesome.com/. # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy # https://www.w3.org/TR/CSP3/ # https://content-security-policy.com/ # https://www.html5rocks.com/en/tutorials/security/content-security-policy/ add_header Content-Security-Policy $content_security_policy always;