From 0f9f94d2ce1c1510e5e4471447ba3f8f780f7612 Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 15 Aug 2023 17:09:44 -0700 Subject: [PATCH] Add upgrade-insecure-requests; --- .../linux/Slightly Improving Mailcow Security.md | 2 +- static/_headers | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/content/posts/linux/Slightly Improving Mailcow Security.md b/content/posts/linux/Slightly Improving Mailcow Security.md index 446774e..b66acc0 100644 --- a/content/posts/linux/Slightly Improving Mailcow Security.md +++ b/content/posts/linux/Slightly Improving Mailcow Security.md @@ -81,7 +81,7 @@ add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https #### If you do not use Gravatar with SOGo ``` -add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'"; +add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://api.github.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'"; ``` ### Cross-Origin Resource, Opener, and Embedder Policies diff --git a/static/_headers b/static/_headers index 05e6de3..d7a0180 100644 --- a/static/_headers +++ b/static/_headers @@ -1,6 +1,6 @@ /* Strict-Transport-Security : max-age=63072000; includeSubDomains; preload - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' X-Content-Type-Options : nosniff Referrer-Policy : no-referrer X-Frame-Options : DENY @@ -12,27 +12,27 @@ /posts/knowledge/multi-factor-authentication/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/android/android-tips/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/android/choosing-your-android-based-operating-system/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/linux/choosing-your-desktop-linux-distribution/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/linux/desktop-linux-hardening/ ! Content-Security-Policy - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /*.xml