UNSOLVED CSP HSTS et al. regarding nodebb srv security


  • Currently, I'm deploying with the following security config. Working fine so far, I'd like to get some community feedback.

    add_header Content-Security-Policy "default-src 'none'; \
    connect-src 'self' https://forum.myforum.com/ wss://forum.myforum.com/ https://bootswatch.com/ https://api.github.com/; \
    script-src 'self' 'unsafe-inline https://forum.myforum.com/ https://storage.googleapis.com/; \
    img-src 'self' data: https://forum.myforum.com/ https://bootswatch.com/ https://i.imgur.com/ https://www.gravatar.com/; \
    style-src 'self' 'unsafe-inline' https://forum.myforum.com/ https://fonts.googleapis.com/ https://maxcdn.bootstrapcdn.com/; \
    font-src https://forum.myforum.com/ https://maxcdn.bootstrapcdn.com/bootswatch/latest/fonts/ chrome-extension://* 
     https://fonts.gstatic.com/; \
    frame-ancestors 'self'; \
    object-src 'none';
    manifest-src https://forum.myforum.com/;";
      add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";׬                                              
      add_header 'Referrer-Policy' 'same-origin';¬                                                                                        
      add_header X-Content-Type-Options nosniff;¬                                                                                         
      add_header X-XSS-Protection "1; mode=block";¬                                                                                       
      add_header X-Download-Options noopen;¬                                                                                              
      add_header X-Permitted-Cross-Domain-Policies none;¬                                                                                 
      add_header X-Frame-Options "SAMEORIGIN";
    

    Helpful website for testing was https://observatory.mozilla.org/

    edit: add manifest-src to enable webmanifest loading

  • Referenced by  B Bejan 

Suggested Topics

| |