/ Register

Welcome to Centmin Mod Community
Become a Member

Security Content-Security-Policy header

Discussion in 'System Administration' started by Andy, May 6, 2021.

Previous Thread Next Thread
Loading...
  1. May 6, 2021 #1
    Andy

    Andy Active Member

    543
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    12:29 PM
    What is the recommended way to add this header to centminmod?
    I used this site to check Analyse your HTTP response headers and centminmod.com has several missing and outdated security headers.
    @eva2000 time to update?
     
  2. May 6, 2021 #2
    eva2000

    eva2000 Administrator Staff Member

    54,524
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    4:29 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Thanks for the heads up, I changed Feature policy to Permission policy header now Scan results for https://centminmod.com/. I don't use Content Security Policy (CSP) if I have ads running on the same as there's no way to properly implement CSP is you have 3rd party ads where you do not control or know what domain/hostnames these 3rd party ads are served from as you'd be playing catch up and CSP will be blocking all 3rd party domains until you catch up.

    To read on CSP see Content Security Policy - An Introduction

    The recommended way is to add the header to your Nginx vhost near the HSTS and other headers that are included by default for static HTML pages and also add a copy to your php.conf include file for dynamic sites.
     
Previous Thread Next Thread
Loading...

.