aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2021-10-20 14:12:53 -0400
committerPaul Duncan <pabs@pablotron.org>2021-10-20 14:12:53 -0400
commit42009145206d622a7aeaf8cb8213039bc82f4715 (patch)
tree0535590f18ea6d48c24910311c3795137c82ec7d
parentd38f49617f7d6dd496bc2987e0f0143cfa826a5d (diff)
downloadpablotron.org-42009145206d622a7aeaf8cb8213039bc82f4715.tar.bz2
pablotron.org-42009145206d622a7aeaf8cb8213039bc82f4715.zip
posts/2021-10-19-hugo-csp-impedance-mismatch.md: fix access-control-allow-origin, add referrer-policy and permissions-policy
-rw-r--r--content/posts/2021-10-19-hugo-csp-impedance-mismatch.md16
1 files changed, 15 insertions, 1 deletions
diff --git a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
index 203d342..081a883 100644
--- a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
+++ b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
@@ -74,13 +74,25 @@ Header append "X-Frame-Options" "SAMEORIGIN"
Header append "X-Content-Type-Options" "nosniff"
Header append "Cross-Origin-Opener-Policy" "same-origin"
Header append "Cross-Origin-Resource-Policy" "same-origin"
-Header append "Access-Control-Allow-Origin" "*"
+Header append "Access-Control-Allow-Origin" "https://pablotron.org"
Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
+# securityheaders.com updates (2021-10-20)
+Header append "Referrer-Policy" "strict-origin-when-cross-origin"
+Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"
+
+
# 'unsafe-inline' needed for hugo table cell alignment :/
Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'"
```
+&nbsp;
+
+**Update (2021-10-20):** Based on the [the scan results from
+securityheaders.com][securityheaders-scan-results], I constrained
+`Access-Control-Allow-Origin`, added `Referrer-Policy`, and added
+`Permissions-Policy`.
+
[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
"Content-Security-Policy HTTP response header"
[chroma]: https://github.com/alecthomas/chroma
@@ -105,3 +117,5 @@ Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' http
"Simple snippets in content files calling built-in or custom templates"
[table-shortcode]: https://discourse.gohugo.io/t/how-to-create-tables-more-simpler-without-markdown/15254/4
"Create tables without Markdown"
+[securityheaders-scan-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
+ "Scan results for this site from securityheaders.com"