search

github / secure_headers

Manages application of security headers with many safe defaults
MIT License
3.16k stars 252 forks source link

How can I disable 'unsafe-inline' from script-src? #505

Closed josemateuss closed 1 year ago

josemateuss commented 1 year ago

I'm sorry, but anyone can help me?

My config/initializers/secure_headers.rb

SecureHeaders::Configuration.default do |config|
  config.csp = SecureHeaders::OPT_OUT
  config.csp_report_only = {
    #... 
    script_src: %w('self'),
    #...
  }
end

My ApplicationController

before_action :set_nonce

def set_nonce
   @nonce = SecureHeaders.content_security_policy_script_nonce(request)
end

I'm getting this CSP Report Only values for script-src, but I wouldn't like to have this 'unsafe-inline' in my script-src, how can I remove it?

script-src 'self' 'nonce-WjyRDvWYkiem6KxwQnY4NAf2vO1qETcFOTF6WEbEGzE=' 'unsafe-inline';

Desired output:

script-src 'self' 'nonce-WjyRDvWYkiem6KxwQnY4NAf2vO1qETcFOTF6WEbEGzE=';
josemateuss commented 1 year ago

Sorry guys, my bad, I found it.

disable_nonce_backwards_compatibility: true, # default: false. If false, unsafe-inline will be added automatically when using nonces. If true, it won't. See #403 for why you'd want this.