Open t-heuser opened 2 weeks ago
Just one note (as mentioned before): Whatever the implementation is, it should not be based on Fusion in my opinion because that bakes the CSP rules into the content cache (which in turn means that caches have to be flushed whenever they change – unless we manage to put them into some dedicated cache segment)
Is there an existing issue for this topic?
Description
I'd love to see the Content-Security-Policy-Header (CSP) to be implemented in the NEOS core for backend and frontend.
It would make NEOS projects more secure per default, it could mitigate XSS-attacks for example.
Possible Solution
There is already an existing package for NEOS which adds CSP, but it's very old and not working anymore. But I guess it will be very useful for some inspiration.
I tried to repair the package by myself but they were issues with nonces and cache, like others described in this slack thread.