Closed raffis closed 4 years ago
Add a default csp to allow only internal resources but block anything else.
There is no csp by default. Deployments required to add these to traffic proxies (ingresses).
nginx add headers:
add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;";
Describe the change
Add a default csp to allow only internal resources but block anything else.
Current situation
There is no csp by default. Deployments required to add these to traffic proxies (ingresses).
Should
nginx add headers: