Deploy Content Security Policy (CSP) and check other security headers
We should have a look at this: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
Full specification: https://www.w3.org/TR/CSP/
Updated by Marc Dequènes about 2 years ago
This FF plugin could be handy: https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/
Updated by Marc Dequènes 11 months ago
- Subject changed from Experiment with Content Security Policy (CSP) to Deploy Content Security Policy (CSP) and check other security headers
- % Done changed from 10 to 30
It works, even if finding the right setting may need some trial and error.
I've already setup certain vhosts and certain applications may provide one (Nexcloud), so let's list the vhost needing one and fix them one by one.
I should also check the result of: https://securityheaders.com/
I updated the httpd role for more secure headers. I need to have a look at duplicate headers.
Updated by Marc Dequènes 2 months ago
stuff.milkypond.org(handled by NextCloud)
- perso.duckcorp.org: each user needs to adapt to its own need
- photos-ng.duckcorp.org: experimental at the moment