Open Darkspirit opened 6 years ago
Blanket https: seems a little risky, see https://csp-evaluator.withgoogle.com/ Being specific and using nonces seems to be the way to go: https://csp.withgoogle.com/docs/strict-csp.html
Our CSP analysis is very shallow at the moment. To set your expectations, because a complete rewrite is necessary, it's not something we will undertake for at least two months for now.
https://www.hardenize.com/report/thesslstore.com/1518813280#www_csp
Could you please mark the whole CSP result always red, if there is a * or http://?
Rationale: Insecure cookies are also red.