Add a content security policy - Githubissues

pulibrary / approvals

Approval system for travel and absence requests at Princeton University Library

Other

0 stars 0 forks source link

Add a content security policy #1200

Open sandbergja opened 1 day ago

sandbergja commented 1 day ago

What maintenance needs to be done?

Add a content security policy header.

Level of urgency

[ ] High
[ ] Moderate
[x] Low

Why is this maintenance needed?

It would provide XSS and Clickjacking protections to PUL staff who go to the approvals system.

Acceptance criteria

[ ] Approvals responses include a Content-Security-Policy header
[ ] The CSP has object-src 'none';
[ ] The CSP has base-uri 'none';
[ ] The CSP is as restrictive as possible
[ ] The UIs still work

Implementation notes, if any

See this documentation about a Strict CSP and MDN's general documentation about CSPs