minor improvements to CSP

This commit is contained in:
Daniel Micay 2021-07-22 00:12:22 -04:00
parent 1a6400af4e
commit a97dd92eb8

View File

@ -99,7 +99,7 @@ http {
include snippets/security-headers.conf; include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Cross-Origin-Resource-Policy "same-origin" always;
add_header Content-Security-Policy "font-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always; add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none' # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
add_header X-Frame-Options "DENY" always; add_header X-Frame-Options "DENY" always;
@ -114,7 +114,7 @@ http {
include snippets/security-headers.conf; include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "cross-origin" always; add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Content-Security-Policy "font-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always; add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'; block-all-mixed-content" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'none' # obsolete and replaced with Content-Security-Policy frame-ancestors 'none'
add_header X-Frame-Options "DENY" always; add_header X-Frame-Options "DENY" always;
add_header X-Robots-Tag "none"; add_header X-Robots-Tag "none";
@ -143,7 +143,7 @@ http {
include snippets/security-headers.conf; include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "cross-origin" always; add_header Cross-Origin-Resource-Policy "cross-origin" always;
add_header Content-Security-Policy "font-src 'self'; manifest-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content" always; add_header Content-Security-Policy "font-src 'self'; manifest-src 'self'; object-src 'none'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; block-all-mixed-content" always;
# obsolete and replaced with Content-Security-Policy frame-ancestors 'self' # obsolete and replaced with Content-Security-Policy frame-ancestors 'self'
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Robots-Tag "none"; add_header X-Robots-Tag "none";