Document how to configure Content-Security-Policy header #63

carlalexander · 2016-05-14T21:07:30Z

Working on adding support for security headers in debops.nginx. But even with the changes, the Content-Security-Policy header is hard to configure right and is turned off by default.

The security cookbook should be updated to explain how to configure the Content-Security-Policy header. Explain how to setup reporting at to see if a policy works. Then how to use tools like securityheaders.io and report-uri.io to craft a good policy for your site.

The text was updated successfully, but these errors were encountered:

carlalexander · 2016-05-17T02:01:33Z

Just added support for the Content-Security-Policy header. I made some changes to the default header compared to the debops.nginx role. The important difference with WordPress is that you need to use 'unsafe-eval' and 'unsafe-inline' since themes and plugins output styles and scripts inline.

carlalexander added security documentation labels May 14, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Document how to configure Content-Security-Policy header #63

Document how to configure Content-Security-Policy header #63

carlalexander commented May 14, 2016

carlalexander commented May 17, 2016

Document how to configure Content-Security-Policy header #63

Document how to configure Content-Security-Policy header #63

Comments

carlalexander commented May 14, 2016

carlalexander commented May 17, 2016