csp

[RMHogervorst]

How do I do it? I used netlify. ( Check if hugo processes headers otherwise) I put the _headers file in static ( gets deployed to root of website) Explain what it is: csp is a contract between your browser and a website. The contract specifies which sources are allowed. The browser, which doesn't know what is partof your website and what is not, honors this contact and will only use those resources. If it detects any other sources that want to play in your garden ( i like this analogy) it blocks them, and if you have areport URI it will tell that parent. If not, it will still block. Since my website is relatively simple I could do most of the work myself. I knew I loaded in images from Twitter, imgur and of course my (the site itself) own site, specific github repo, and maybe youtube. But I used a two step approach with report-uri.com. I first added a small piece using their website example. And set the csp to reporting only. This way all non specified outside sources hey reported by browsers and are interested into report uri. After you've had a bunch of traffic, you get an overview of outside resources being loaded.

[RMHogervorst]

The wizard in report-uri displays all of the outside sources being loaded and you can interactively toggle them, allowing or blocking them. This takes some time and effort because you load in a lot of scripts from different places. Don't blanket approve all of them. If you are extremely cautious block everything and deblock if the site doesn't work anymore.

[RMHogervorst]

Ehy are we ( I mean me, but I'm talking about the world in general) doing this csp. This contract between browser and server? In one word: baddies.

Jackasses who dump JavaScript cryptocurrency miners in yoir website. They're making money on your CPU.

[RMHogervorst]

And that sucks. But it's also browser extensions ( they see alll your ytaffic) some isp s.

[RMHogervorst]

What we want is: content you created to the eyeballs of your readers. We use https so that no one can see or modify that content. It makes a tunnel between server and computer. But your site is not just one page. We load in JavaScript css and images for animations, styling, making our work easier or faster. But some things modify the page load in other stuff. Fi ads. Ultimately you want to be nice to people and their browser.

[RMHogervorst]

Great explanation here https://rud.is/b/2019/03/10/wrangling-content-security-policies-in-r/

To oversimplify things, the CSP header instructs a browser on what you’ve authorized to be part of your site. You supply directives for different types of content which tell browsers what sites can load content into the current page in an effort to prevent things like cross-site scripting attacks, malicious iframes, clickjacking, cryptojacking, and more. If you think this doesn’t happen, think again.