Open jeremyfelt opened 8 years ago
Added an initial CSP to only wsu.edu today:
add_header Content-Security-Policy-Report-Only "default-src https://wsu.edu https://*.wsu.edu; script-src 'unsafe-inline' https://wsu.edu https://*.wsu.edu https://use.typekit.net https://ajax.googleapis.com https://www.google-analytics.com https://www.googletagmanager.com; style-src 'unsafe-inline' https://wsu.edu https://*.wsu.edu https://fonts.googleapis.com; img-src *; font-src data: https://wsu.edu https://*.wsu.edu https://fonts.gstatic.com https://use.typekit.net; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; report-uri https://wsu.report-uri.io/r/default/csp/reportonly";
I have reporting setup through report-uri.io, so we'll get some info on this and see what's missing.
Reading:
Use the
always
parameter when appropriate. http://nginx.org/en/docs/http/ngx_http_headers_module.html