Add Content-Security-Policy header

[php-coder]

See for details:

• https://content-security-policy.com/
• http://cspisawesome.com/
• https://httpsecurityreport.com/best_practice.html#contentSecurityPolicy
• https://scotthelme.co.uk/content-security-policy-an-introduction/
• https://60devs.com/using-content-security-policy.html
• http://docs.spring.io/spring-security/site/docs/4.2.x/reference/htmlsingle/#headers-csp
• https://github.com/shapesecurity/salvation and http://cspvalidator.org/
• https://csp-evaluator.withgoogle.com
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
• https://rapidsec.com/analyze
• https://cspscanner.com
• https://cspscanner.com/csp-bypasses
• https://medium.com/@bhaveshthakur2015/content-security-policy-csp-bypass-techniques-e3fa475bfe5d
• https://devdocs.io/http-csp/

[php-coder]

Explicitly specify directives that aren't covered by default-src (like form-action, see https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5).

[php-coder]

Read also: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

[0pdd]

@php-coder the puzzle #1093 is still not solved.

[php-coder]

Could be useful, here are the Jenkins CSP rules: https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy