blob: 34a3a7a22e57de975174a94a6ded464f43275960 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
---
slug: the-nuclear-option-no-more-unsafe-inline
title: "The Nuclear Option (No More unsafe-inline)"
date: "2021-10-25T18:50:13-04:00"
draft: false
---
As you can see from the [last post][], I went with the nuclear option
and created a [Hugo table shortcode][git], then did the following:
1. Updated all the tables on the site to use the new [table
shortcode][git].
2. Removed `style-src 'self' 'unsafe-inline'` from the
[`Content-Security-Policy` header][csp].
3. Re-ran the [Security Headers][securityheaders] scan.
Here is the updated [`Content-Security-Policy`][csp] from the [Apache][]
config:
```apache
# look ma, no unsafe-inline!
Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"
```
And here is the updated [Security Headers][securityheaders] scan result:
[{{< figure
src="/files/posts/the-nuclear-option-no-more-unsafe-inline/securityheaders.png"
class=image
width=1218
height=248
caption=" Updated Security Headers scan result."
>}}][securityheaders-results]
[previous post]: {{< relref "posts/2021-10-25-table-shortcode-for-hugo.md" >}}
"Release announcement for hugo-shortcode-table."
[git]: https://pablotron.org/pablotron/hugo-shortcode-table
"Table shortcode for hugo."
[securityheaders]: https://securityheaders.com/
"HTTP response header scanner."
[securityheaders-results]: https://securityheaders.com/?q=pablotron.org&hide=on&followRedirects=on
[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
"Content-Security-Policy HTTP response header"
[apache]: https://apache.org/
"Apache web server."
|