From f3ac328ee141dc3bcd4ebb228e8915e82a01cbbb Mon Sep 17 00:00:00 2001 From: David Runge Date: Fri, 30 Sep 2016 04:39:31 +0200 Subject: content/blog/201609-letsencrypt.rst: Update the Content-Security-Policy header information after a test showing differing behavior between the services. --- content/blog/201609-letsencrypt.rst | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/content/blog/201609-letsencrypt.rst b/content/blog/201609-letsencrypt.rst index a3453ac..a6d6c61 100644 --- a/content/blog/201609-letsencrypt.rst +++ b/content/blog/201609-letsencrypt.rst @@ -302,14 +302,13 @@ moar snippets .. code:: nginx - add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'"; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag "none"; -| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline :abbr:`CSS (Cascading Style Sheets)` and Javascript in services such as |website-owncloud|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well. +| A little note on the **Content-Security-Policy** here: Usually one would try to have the targets (**default-src**, **connect-src**, **img-src**, **script-src**, **style-src**) be set to *'self'*. Due to the inline :abbr:`CSS (Cascading Style Sheets)` and Javascript in services such as |website-owncloud| and |website-roundcube|, this is not possible though, so *'unsafe_inline'* and *'unsafe_eval'* have to be added as well for some of them. | At this point you could of course also choose to create differing *'security_headers'* inclusions for the services you run. | Depending on which are running, you will want to monitor your developer console in your browser closely after using this security header. It will tell you, if CFP is blocking some resource (and possibly making it unusable). @@ -351,6 +350,7 @@ domain configurations error_page 500 502 503 504 /50x.html; # include security headers include security_headers.conf; + add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'"; # include the letsencrypt snippet include letsencrypt-challenge.conf; @@ -404,8 +404,9 @@ domain configurations error_log /var/log/nginx/error.cloud.domain.log; #this is to avoid Request Entity Too Large error client_max_body_size 10G; - # include security headers - include security_headers.conf; + # include security headers (the rest are set by ownCloud itself already) + add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval'"; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; # include the letsencrypt snippet include letsencrypt-challenge.conf; @@ -485,6 +486,7 @@ domain configurations client_max_body_size 20M; # include security headers include security_headers.conf; + add_header Content-Security-Policy "default-src 'self'; connect-src 'self'; img-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"; # include the request-check snippet include letsencrypt-challenge.conf; # include the letsencrypt snippet -- cgit v1.2.3-54-g00ecf