External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-23 05:55:59 -03:30
Code Issues Packages Projects Releases Wiki Activity

add a reasonable default Content Security Policy

Browse Source 
ideally we'd improve this over time to remove the `unsafe-inline` lines,
but we can't due that today because Angular1 makes use of a lot of
inline <script> and <style> tag generation

see: https://github.com/ansible/awx/issues/2056
This commit is contained in:
Ryan Petrello
2019-06-26 10:02:36 -04:00
parent e612a167e2
commit eacf819caf
4 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
installer/roles/image_build/templates/nginx.conf.j2
View File

@@ -61,6 +61,8 @@ http {
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; report-uri /csp-violation/";
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";