aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2021-10-25 19:06:49 -0400
committerPaul Duncan <pabs@pablotron.org>2021-10-25 19:06:49 -0400
commit85090f9dc2085875f2767eac346ef094f6eaff82 (patch)
treeb4c4f167a0e99d729ac3193f3b72313924a4474c
parent732e3a7807e2846eea207a8da9343d1ca9457bf0 (diff)
downloadpablotron.org-85090f9dc2085875f2767eac346ef094f6eaff82.tar.bz2
pablotron.org-85090f9dc2085875f2767eac346ef094f6eaff82.zip
add posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md and update posts/2021-10-10-hugo-csp-impedance-mismatch.md
-rw-r--r--content/posts/2021-10-19-hugo-csp-impedance-mismatch.md4
-rw-r--r--content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md45
-rw-r--r--static/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.pngbin0 -> 41600 bytes
3 files changed, 49 insertions, 0 deletions
diff --git a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
index 081a883..e2abaa0 100644
--- a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
+++ b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
@@ -93,6 +93,8 @@ securityheaders.com][securityheaders-scan-results], I constrained
`Access-Control-Allow-Origin`, added `Referrer-Policy`, and added
`Permissions-Policy`.
+**Update 2 (2021-10-25):** I went with [the nuclear option][nuclear-option].
+
[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
"Content-Security-Policy HTTP response header"
[chroma]: https://github.com/alecthomas/chroma
@@ -119,3 +121,5 @@ securityheaders.com][securityheaders-scan-results], I constrained
"Create tables without Markdown"
[securityheaders-scan-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
"Scan results for this site from securityheaders.com"
+[nuclear-option]: {{< relref "posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md" >}}
+ "Table shortcode for Hugo, removal of unsafe-inline, and updated Security Headers scan result."
diff --git a/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md b/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md
new file mode 100644
index 0000000..34a3a7a
--- /dev/null
+++ b/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md
@@ -0,0 +1,45 @@
+---
+slug: the-nuclear-option-no-more-unsafe-inline
+title: "The Nuclear Option (No More unsafe-inline)"
+date: "2021-10-25T18:50:13-04:00"
+draft: false
+---
+As you can see from the [last post][], I went with the nuclear option
+and created a [Hugo table shortcode][git], then did the following:
+
+1. Updated all the tables on the site to use the new [table
+ shortcode][git].
+2. Removed `style-src 'self' 'unsafe-inline'` from the
+ [`Content-Security-Policy` header][csp].
+3. Re-ran the [Security Headers][securityheaders] scan.
+
+Here is the updated [`Content-Security-Policy`][csp] from the [Apache][]
+config:
+
+```apache
+# look ma, no unsafe-inline!
+Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"
+```
+&nbsp;
+
+And here is the updated [Security Headers][securityheaders] scan result:
+
+[{{< figure
+ src="/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png"
+ class=image
+ width=1218
+ height=248
+ caption=" Updated Security Headers scan result."
+>}}][securityheaders-results]
+
+[previous post]: {{< relref "posts/2021-10-25-table-shortcode-for-hugo.md" >}}
+ "Release announcement for hugo-shortcode-table."
+[git]: https://pablotron.org/pablotron/hugo-shortcode-table
+ "Table shortcode for hugo."
+[securityheaders]: https://securityheaders.com/
+ "HTTP response header scanner."
+[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
+[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ "Content-Security-Policy HTTP response header"
+[apache]: https://apache.org/
+ "Apache web server."
diff --git a/static/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png b/static/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png
new file mode 100644
index 0000000..0ac81a5
--- /dev/null
+++ b/static/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png
Binary files differ