Download:
child 159:2bc0a5ac4959
parent 157:45e6e68a871b
158:5fcf0955129c
Anton Shestakov <av6@dwimlabs.net>, Tue, 31 Oct 2017 12:53:48 +0800
provision: add CSP header, *-src are either 'self' or 'none'

1 файлов изменено, 12 вставок(+), 0 удалений(-) [+]
provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar file | annotate | diff | comparison | revisions
--- a/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar Tue Oct 31 12:48:41 2017 +0800
+++ b/provision/roles/fruitbar/templates/etc/nginx/sites-available/fruitbar Tue Oct 31 12:53:48 2017 +0800
@@ -48,6 +48,18 @@
# HSTS: 31536000 = 365 days (set to 0 to expire and allow plain HTTP)
add_header Strict-Transport-Security 'max-age=31536000' always;
+ # CSP
+ set $CSP "default-src 'none';";
+ # unsafe-inline is for underscore template config snippet
+ # unsafe-eval is for jQuery
+ set $CSP "$CSP script-src 'self' 'unsafe-inline' 'unsafe-eval';";
+ # unsafe-inline is for initial "opacity: 0" on body
+ set $CSP "$CSP style-src 'self' 'unsafe-inline';";
+ set $CSP "$CSP img-src 'self';";
+ set $CSP "$CSP font-src 'self';";
+ set $CSP "$CSP connect-src 'self';";
+ add_header Content-Security-Policy "$CSP" always;
+
add_header Cache-Control private;
{% endif %}