Closed thekid closed 1 year ago
Hrm - Chromium devtools says this:
The 'X-Frame-Options' header should not be used. A similar effect, with more consistent support and stronger checks, can be achieved with the 'Content-Security-Policy' header and 'frame-ancestors' directive.
Would https://securityheaders.com/ recognize this as replacement too? Need to try this out...
What this pull request does
Implements #30 and sets
X-Content-Type-Options
,X-Frame-Options
,Referrer-Policy
to sensible default values and allows specifying aContent-Security-Policy
(including Report-Only mode).CSP
Content Security Policy is quite specific to what you are doing on your site, so no default value is supplied. However, using
default-src 'self'; script-src 'self' 'nonce-{{nonce}}'; style-src 'self' 'nonce-{{nonce}}; img-src 'self' https:
and then supplyingnonce
attributes on your<script>
and<style>
tags is maybe a good starting point as well as replacingon...
-attributes withaddEventListener()
.If we introduce a default CSP, this would be done in a separate major release!
See also https://content-security-policy.com/, https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and https://scotthelme.co.uk/content-security-policy-an-introduction/
Example
With no code changed (that is, just using the defaults), the rating from https://securityheaders.com/ changes as follows:
Before
After
If we were to define a content security policy, we could get an
A
rating.BC break
This pull request doesn't break any code, but site's behavior will be different:
<iframe>
, you will have to set theX-Frame-Options
header (either globally or on the embedding resource)Referrer-Policy
to unsafe-url