From 42009145206d622a7aeaf8cb8213039bc82f4715 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Wed, 20 Oct 2021 14:12:53 -0400 Subject: posts/2021-10-19-hugo-csp-impedance-mismatch.md: fix access-control-allow-origin, add referrer-policy and permissions-policy --- content/posts/2021-10-19-hugo-csp-impedance-mismatch.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'content/posts') diff --git a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md index 203d342..081a883 100644 --- a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md +++ b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md @@ -74,13 +74,25 @@ Header append "X-Frame-Options" "SAMEORIGIN" Header append "X-Content-Type-Options" "nosniff" Header append "Cross-Origin-Opener-Policy" "same-origin" Header append "Cross-Origin-Resource-Policy" "same-origin" -Header append "Access-Control-Allow-Origin" "*" +Header append "Access-Control-Allow-Origin" "https://pablotron.org" Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS" +# securityheaders.com updates (2021-10-20) +Header append "Referrer-Policy" "strict-origin-when-cross-origin" +Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()" + + # 'unsafe-inline' needed for hugo table cell alignment :/ Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'" ``` +  + +**Update (2021-10-20):** Based on the [the scan results from +securityheaders.com][securityheaders-scan-results], I constrained +`Access-Control-Allow-Origin`, added `Referrer-Policy`, and added +`Permissions-Policy`. + [csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP "Content-Security-Policy HTTP response header" [chroma]: https://github.com/alecthomas/chroma @@ -105,3 +117,5 @@ Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' http "Simple snippets in content files calling built-in or custom templates" [table-shortcode]: https://discourse.gohugo.io/t/how-to-create-tables-more-simpler-without-markdown/15254/4 "Create tables without Markdown" +[securityheaders-scan-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on + "Scan results for this site from securityheaders.com" -- cgit v1.2.3