aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--content/posts/2021-10-19-hugo-csp-impedance-mismatch.md16
1 files changed, 15 insertions, 1 deletions
diff --git a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
index 203d342..081a883 100644
--- a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
+++ b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md
@@ -74,13 +74,25 @@ Header append "X-Frame-Options" "SAMEORIGIN"
Header append "X-Content-Type-Options" "nosniff"
Header append "Cross-Origin-Opener-Policy" "same-origin"
Header append "Cross-Origin-Resource-Policy" "same-origin"
-Header append "Access-Control-Allow-Origin" "*"
+Header append "Access-Control-Allow-Origin" "https://pablotron.org"
Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
+# securityheaders.com updates (2021-10-20)
+Header append "Referrer-Policy" "strict-origin-when-cross-origin"
+Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"
+
+
# 'unsafe-inline' needed for hugo table cell alignment :/
Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'"
```
+ 
+
+**Update (2021-10-20):** Based on the [the scan results from
+securityheaders.com][securityheaders-scan-results], I constrained
+`Access-Control-Allow-Origin`, added `Referrer-Policy`, and added
+`Permissions-Policy`.
+
[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
"Content-Security-Policy HTTP response header"
[chroma]: https://github.com/alecthomas/chroma
@@ -105,3 +117,5 @@ Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' http
"Simple snippets in content files calling built-in or custom templates"
[table-shortcode]: https://discourse.gohugo.io/t/how-to-create-tables-more-simpler-without-markdown/15254/4
"Create tables without Markdown"
+[securityheaders-scan-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
+ "Scan results for this site from securityheaders.com"