aboutsummaryrefslogtreecommitdiffstats
path: root/content/blog
diff options
context:
space:
mode:
authorDavid Runge <dave@sleepmap.de>2016-09-30 04:39:31 +0200
committerDavid Runge <dave@sleepmap.de>2016-09-30 04:39:31 +0200
commitf3ac328ee141dc3bcd4ebb228e8915e82a01cbbb (patch)
tree13e1b8d0d8e7180969ed73414b8bc6114b83eace /content/blog
parentaa96b26755f1e5747ed4f299752d85fd1cb31fa4 (diff)
downloadsleepmap-f3ac328ee141dc3bcd4ebb228e8915e82a01cbbb.tar.gz
sleepmap-f3ac328ee141dc3bcd4ebb228e8915e82a01cbbb.tar.bz2
sleepmap-f3ac328ee141dc3bcd4ebb228e8915e82a01cbbb.tar.xz
sleepmap-f3ac328ee141dc3bcd4ebb228e8915e82a01cbbb.zip
content/blog/201609-letsencrypt.rst: Update the Content-Security-Policy header information after a test showing differing behavior between the services.
Diffstat (limited to 'content/blog')
-rw-r--r--content/blog/201609-letsencrypt.rst10
1 files changed, 6 insertions, 4 deletions
diff --git a/content/blog/201609-letsencrypt.rst b/content/blog/201609-letsencrypt.rst
index a3453ac..a6d6c61 100644
--- a/content/blog/201609-letsencrypt.rst
+++ b/content/blog/201609-letsencrypt.rst
@@ -302,14 +302,13 @@ moar snippets
.. code:: nginx
- add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'";
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "none";
-| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline :abbr:`CSS (Cascading Style Sheets)` and Javascript in services such as |website-owncloud|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well.
+| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline :abbr:`CSS (Cascading Style Sheets)` and Javascript in services such as |website-owncloud| and |website-roundcube|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well for some of them.
| At this point you could of course also choose to create differing *'security_headers'* inclusions for the services you run.
| Depending on which are running, you will want to monitor your developer console in your browser closely after using this security header. It will tell you, if CFP is blocking some resource (and possibly making it unusable).
@@ -351,6 +350,7 @@ domain configurations
error_page 500 502 503 504 /50x.html;
# include security headers
include security_headers.conf;
+ add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'";
# include the letsencrypt snippet
include letsencrypt-challenge.conf;
@@ -404,8 +404,9 @@ domain configurations
error_log /var/log/nginx/error.cloud.domain.log;
#this is to avoid Request Entity Too Large error
client_max_body_size 10G;
- # include security headers
- include security_headers.conf;
+ # include security headers (the rest are set by ownCloud itself already)
+ add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'";
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# include the letsencrypt snippet
include letsencrypt-challenge.conf;
@@ -485,6 +486,7 @@ domain configurations
client_max_body_size 20M;
# include security headers
include security_headers.conf;
+ add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
# include the request-check snippet
include letsencrypt-challenge.conf;
# include the letsencrypt snippet