sinfonie/photo26
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Harden CSP and Referrer-Policy in HTML header

Browse source
This commit is contained in:
Alexandre Iooss 2022-03-09 11:35:48 +01:00
parent f48f9b00e9
commit 2447735aec
2 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
docs/nginx_photos
View file

@ -38,7 +38,6 @@ server {
client_max_body_size 2G;
add_header "X-XSS-Protection" "1; mode=block";
add_header "Content-Security-Policy" "default-src 'self' 'unsafe-inline';";
# Django statics and media
# Do not directly serve media, it must be authorized

2
photo21/templates/base.html
View file

@ -8,6 +8,8 @@ SPDX-License-Identifier: GPL-3.0-or-later
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-ancestors 'none'">
<meta http-equiv="Referrer-Policy" content="no-referrer">
<title>{% block title %}{{ title }}{% endblock title %} - {{ request.site.name }}</title>
<meta name="description" content="{% trans "The ENS Paris-Saclay pictures server." %}">
<link rel="stylesheet" href="{% static "bootstrap5/css/bootstrap.min.css" %}">