CSP Content Security Policy

michaelhagl21 · June 11, 2023, 5:43pm

Hi,

I need Help i Font Know how to make the CSP Content Security Policy working.

I did some with the Transform Rules but Google Insights says it is Not strong enough

That s Missing

script-src

object-src

I have try with worker but after this my Site didnt Show good anymore.

Please can you Help me

A step step Guide would bei cool

Thank you to everyone

anon9246926 · June 11, 2023, 11:48pm

If you don’t have local scripts running use script-src 'none';

If you do have local scripts running use script-src 'self' if they are in separate files. If they are inline scripts, use a nonce e.g.

<script nonce="1fe61dae67c6">
 console.log("Using a nonce")
</script>

and add 'nonce-1fe61dae67c6' to the script-src in the CSP header.

If you are wanting to allow scripts from other sites you can add the site as example.com, e.g. script-src example.com

And you can combine this together

script-src 'self' 'nonce-1fe61dae67c6' example.com;

Similar principles apply for other policy directives.

Check out MDN for (a lot) more information

system · June 26, 2023, 11:49pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.