From a97dd92eb8ead8f89c28f805b0d54bcd46c51f9d Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 22 Jul 2021 00:12:22 -0400 Subject: [PATCH] minor improvements to CSP --- nginx/nginx.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 94aa346..af1ba92 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -99,7 +99,7 @@ http { include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "same-origin" always; - add_header Content-Security-Policy "font-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always; + add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always; # obsolete and replaced with Content-Security-Policy frame-ancestors 'none' add_header X-Frame-Options "DENY" always; @@ -114,7 +114,7 @@ http { include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "cross-origin" always; - add_header Content-Security-Policy "font-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always; + add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always; # obsolete and replaced with Content-Security-Policy frame-ancestors 'none' add_header X-Frame-Options "DENY" always; add_header X-Robots-Tag "none"; @@ -143,7 +143,7 @@ http { include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "cross-origin" always; - add_header Content-Security-Policy "font-src 'self'; manifest-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content" always; + add_header Content-Security-Policy "font-src 'self'; manifest-src 'self'; object-src 'none'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content" always; # obsolete and replaced with Content-Security-Policy frame-ancestors 'self' add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Robots-Tag "none";