From 276af8da7bdf7c7d3708bbe5190092194b307789 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Colombaro?= Date: Tue, 26 Mar 2019 12:41:15 +0100 Subject: [PATCH] Improve default Content-Security-Policy value (#224) See https://github.com/h5bp/server-configs-apache/pull/181 --- h5bp/security/content-security-policy.conf | 19 ++++++++++++------- nginx.conf | 2 +- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/h5bp/security/content-security-policy.conf b/h5bp/security/content-security-policy.conf index f5a92e61..f8ece3e2 100644 --- a/h5bp/security/content-security-policy.conf +++ b/h5bp/security/content-security-policy.conf @@ -8,16 +8,21 @@ # This can be done by setting a `Content Security Policy` which # whitelists trusted sources of content for your website. # -# The example header below allows ONLY scripts that are loaded from -# the current website's origin (no inline scripts, no CDN, etc). -# That almost certainly won't work as-is for your website! +# There is no policy that fits all websites, you will have to modify +# the `Content-Security-Policy` directives in the example depending +# on your needs. # -# To make things easier, you can use an online CSP header generator -# such as: https://www.cspisawesome.com/. +# To make your CSP implementation easier, you can use an online CSP header +# generator such as: +# https://report-uri.com/home/generate/ # +# It is encouraged that you validate your CSP header using a CSP validator +# such as: +# https://csp-evaluator.withgoogle.com +# +# https://csp.withgoogle.com/docs/ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -# https://www.w3.org/TR/CSP3/ -# https://content-security-policy.com/ # https://www.html5rocks.com/en/tutorials/security/content-security-policy/ +# https://www.w3.org/TR/CSP/ add_header Content-Security-Policy $content_security_policy always; diff --git a/nginx.conf b/nginx.conf index fed55379..fd7a4e3c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -112,7 +112,7 @@ http { # Add Content-Security-Policy for HTML documents. # h5bp/security/content-security-policy.conf map $sent_http_content_type $content_security_policy { - ~*text/html "script-src 'self'; object-src 'self'"; + ~*text/html "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests"; } # Add Referrer-Policy for HTML documents.