Content Security Policy

mattjay commented 9 years ago

Now that helmet is in lets figure out what our CSP policy needs to look like.

app.use(helmet.contentSecurityPolicy({
  defaultSrc: ["'self'", 'default.com'],
  scriptSrc: ['scripts.com'],
  styleSrc: ['style.com'],
  imgSrc: ['img.com'],
  connectSrc: ['connect.com'],
  fontSrc: ['font.com'],
  objectSrc: ['object.com'],
  mediaSrc: ['media.com'],
  frameSrc: ['frame.com'],
  sandbox: ['allow-forms', 'allow-scripts'],
  reportUri: '/report-violation',
  reportOnly: false, // set to true if you only want to report errors
  setAllHeaders: false, // set to true if you want to set all headers
  safari5: false // set to true if you want to force buggy CSP in Safari 5
}));

ProZachJ commented 9 years ago

We'll have to put angular in CSP mode first.

ProZachJ commented 9 years ago

After we do that we should be able to really lock it down.

mattjay commented 9 years ago

Figured there would be some oddities of CSP with Angular. Never looked into that.

ProZachJ commented 9 years ago

I've used it in WHIP chrome apps are required to be full CSP.

mattjay commented 9 years ago

https://docs.angularjs.org/api/ng/directive/ngCsp

DarkShield / daDashboard

Content Security Policy #88