From 85090f9dc2085875f2767eac346ef094f6eaff82 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Mon, 25 Oct 2021 19:06:49 -0400 Subject: add posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md and update posts/2021-10-10-hugo-csp-impedance-mismatch.md --- .../2021-10-19-hugo-csp-impedance-mismatch.md | 4 ++ ...-25-the-nuclear-option-no-more-unsafe-inline.md | 45 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md (limited to 'content') diff --git a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md index 081a883..e2abaa0 100644 --- a/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md +++ b/content/posts/2021-10-19-hugo-csp-impedance-mismatch.md @@ -93,6 +93,8 @@ securityheaders.com][securityheaders-scan-results], I constrained `Access-Control-Allow-Origin`, added `Referrer-Policy`, and added `Permissions-Policy`. +**Update 2 (2021-10-25):** I went with [the nuclear option][nuclear-option]. + [csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP "Content-Security-Policy HTTP response header" [chroma]: https://github.com/alecthomas/chroma @@ -119,3 +121,5 @@ securityheaders.com][securityheaders-scan-results], I constrained "Create tables without Markdown" [securityheaders-scan-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on "Scan results for this site from securityheaders.com" +[nuclear-option]: {{< relref "posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md" >}} + "Table shortcode for Hugo, removal of unsafe-inline, and updated Security Headers scan result." diff --git a/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md b/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md new file mode 100644 index 0000000..34a3a7a --- /dev/null +++ b/content/posts/2021-10-25-the-nuclear-option-no-more-unsafe-inline.md @@ -0,0 +1,45 @@ +--- +slug: the-nuclear-option-no-more-unsafe-inline +title: "The Nuclear Option (No More unsafe-inline)" +date: "2021-10-25T18:50:13-04:00" +draft: false +--- +As you can see from the [last post][], I went with the nuclear option +and created a [Hugo table shortcode][git], then did the following: + +1. Updated all the tables on the site to use the new [table + shortcode][git]. +2. Removed `style-src 'self' 'unsafe-inline'` from the + [`Content-Security-Policy` header][csp]. +3. Re-ran the [Security Headers][securityheaders] scan. + +Here is the updated [`Content-Security-Policy`][csp] from the [Apache][] +config: + +```apache +# look ma, no unsafe-inline! +Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org" +``` +  + +And here is the updated [Security Headers][securityheaders] scan result: + +[{{< figure + src="/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png" + class=image + width=1218 + height=248 + caption=" Updated Security Headers scan result." +>}}][securityheaders-results] + +[previous post]: {{< relref "posts/2021-10-25-table-shortcode-for-hugo.md" >}} + "Release announcement for hugo-shortcode-table." +[git]: https://pablotron.org/pablotron/hugo-shortcode-table + "Table shortcode for hugo." +[securityheaders]: https://securityheaders.com/ + "HTTP response header scanner." +[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on +[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + "Content-Security-Policy HTTP response header" +[apache]: https://apache.org/ + "Apache web server." -- cgit v1.2.3