Fix CSP rules (and tested)

2026-05-19 14:01:38 -04:00 · 2021-10-06 14:35:41 +01:00
parent d04f1e434c
commit ee5e06cd0c
1 changed files with 5 additions and 2 deletions
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -26,8 +26,11 @@ Options +ExecCGI +Includes +IncludesNOEXEC +SymLinksIfOwnerMatch -Indexes

 <IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
-  Header add Content-Security-Policy "script-src 'unsafe-inline'"
-  Header add Content-Security-Policy "font-src 'self', '*googleapis.com'"
+  Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'"
+  Header add Content-Security-Policy "style-src 'self' 'unsafe-inline' fonts.googleapis.com"
+  Header add Content-Security-Policy "font-src 'self' fonts.googleapis.com fonts.gstatic.com"
+  Header add Content-Security-Policy "object-src 'none'"
+  Header add Content-Security-Policy "form-action 'self'"
  Header set X-Content-Type-Options "nosniff"
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options "DENY"