From 85090f9dc2085875f2767eac346ef094f6eaff82 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Mon, 25 Oct 2021 19:06:49 -0400 Subject: add posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md and update posts/2021-10-10-hugo-csp-impedance-mismatch.md --- ...-25-the-nuclear-option-no-more-unsafe-inline.md | 45 ++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md (limited to 'content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md') diff --git a/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md b/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md new file mode 100644 index 0000000..34a3a7a --- /dev/null +++ b/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md @@ -0,0 +1,45 @@ +--- +slug: the-nuclear-option-no-more-unsafe-inline +title: "The Nuclear Option (No More unsafe-inline)" +date: "2021-10-25T18:50:13-04:00" +draft: false +--- +As you can see from the [last post][], I went with the nuclear option +and created a [Hugo table shortcode][git], then did the following: + +1. Updated all the tables on the site to use the new [table + shortcode][git]. +2. Removed `style-src 'self' 'unsafe-inline'` from the + [`Content-Security-Policy` header][csp]. +3. Re-ran the [Security Headers][securityheaders] scan. + +Here is the updated [`Content-Security-Policy`][csp] from the [Apache][] +config: + +```apache +# look ma, no unsafe-inline! +Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org" +``` +  + +And here is the updated [Security Headers][securityheaders] scan result: + +[{{< figure + src="/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png" + class=image + width=1218 + height=248 + caption=" Updated Security Headers scan result." +>}}][securityheaders-results] + +[previous post]: {{< relref "posts/2021-10-25-table-shortcode-for-hugo.md" >}} + "Release announcement for hugo-shortcode-table." +[git]: https://pablotron.org/pablotron/hugo-shortcode-table + "Table shortcode for hugo." +[securityheaders]: https://securityheaders.com/ + "HTTP response header scanner." +[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on +[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + "Content-Security-Policy HTTP response header" +[apache]: https://apache.org/ + "Apache web server." -- cgit v1.2.3