Want to subscribe to topics you're interested in?
Become a Member

Security Content-Security-Policy header

Discussion in 'System Administration' started by Andy, May 6, 2021.

  1. Andy

    Andy Premium Member Premium Member

    497
    79
    28
    Aug 6, 2014
    Ratings:
    +114
    Local Time:
    5:57 PM
    What is the recommended way to add this header to centminmod?
    I used this site to check Analyse your HTTP response headers and centminmod.com has several missing and outdated security headers.
    @eva2000 time to update?

     
  2. eva2000

    eva2000 Administrator Staff Member

    46,863
    10,629
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,499
    Local Time:
    7:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Thanks for the heads up, I changed Feature policy to Permission policy header now Scan results for https://centminmod.com/. I don't use Content Security Policy (CSP) if I have ads running on the same as there's no way to properly implement CSP is you have 3rd party ads where you do not control or know what domain/hostnames these 3rd party ads are served from as you'd be playing catch up and CSP will be blocking all 3rd party domains until you catch up.

    To read on CSP see Content Security Policy - An Introduction

    The recommended way is to add the header to your Nginx vhost near the HSTS and other headers that are included by default for static HTML pages and also add a copy to your php.conf include file for dynamic sites.