You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 23, 2021. It is now read-only.
Working on adding support for security headers in debops.nginx. But even with the changes, the Content-Security-Policy header is hard to configure right and is turned off by default.
The security cookbook should be updated to explain how to configure the Content-Security-Policy header. Explain how to setup reporting at to see if a policy works. Then how to use tools like securityheaders.io and report-uri.io to craft a good policy for your site.
The text was updated successfully, but these errors were encountered:
Just added support for the Content-Security-Policy header. I made some changes to the default header compared to the debops.nginx role. The important difference with WordPress is that you need to use 'unsafe-eval' and 'unsafe-inline' since themes and plugins output styles and scripts inline.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Working on adding support for security headers in
debops.nginx
. But even with the changes, theContent-Security-Policy
header is hard to configure right and is turned off by default.The security cookbook should be updated to explain how to configure the
Content-Security-Policy
header. Explain how to setup reporting at to see if a policy works. Then how to use tools like securityheaders.io and report-uri.io to craft a good policy for your site.The text was updated successfully, but these errors were encountered: