Drop unsafe-inline and unsafe-eval

2021-02-13 04:25:02 +01:00 · 2021-02-13 04:25:02 +01:00 · 3975f59ddf
parent 9db03ed2ed
commit 3975f59ddf
1 changed files with 1 additions and 1 deletions
--- a/roles/nginx/templates/etc/nginx/sites-available/site-vhost.j2
+++ b/roles/nginx/templates/etc/nginx/sites-available/site-vhost.j2
@ -25,7 +25,7 @@ server {
    listen 443 ssl;
    listen [::]:443 ssl;

-    add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
+    add_header Content-Security-Policy "default-src https://{{ item.servername }}:433" always;
    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), notifications=(), payment=(), usb=()" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;