Add Content-Security-Policy to example webserver configs
Hi,
as a defense in depth step, I would like to add example CSPs to the server configs. Before I create a MR for that, I would like some feedback :)
Here is a CSP which was tested with pleroma-fe and mastofe:
content-security-policy:
default-src 'none';
base-uri 'self';
connect-src 'self' wss://domain.tld;
font-src 'self';
form-action 'self';
img-src 'self' data: https:;
media-src 'self' https:;
script-src 'self';
style-src 'self' 'unsafe-inline';
upgrade-insecure-requests;
I don’t know, if Vue.js supports a CSP without style-src 'unsafe-inline'
.
Would be great, if some people could test the headers to make sure, everything still works. :)
Edited by shibayashi