Jingga/Developer-Guide
1
0
Fork 0
mirror of https://github.com/Karaka-Management/Developer-Guide.git synced 2026-01-13 05:18:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update CSP

Browse Source
This commit is contained in:
Dennis Eichhorn 2016-11-23 23:54:58 +01:00
parent 2fe4d243a0
commit 07482fe5c7
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
security/security_guidelines.md
View File

@ -56,13 +56,13 @@ Scripts and frames must be provided by the own server or google. This is importa
The default CSP looks like the following:
```
$response->getHeader()->set('content-security-policy', 'script-src \'self\'; frame-src \'self\'', true);
$response->getHeader()->set('content-security-policy', 'script-src \'self\'; child-src \'self\'', true);
```
In order to whitelist inline javascript you can use the following logic. This however requires you to know the inline script beforehand `$script`. After setting the CSP header they automatically get locked so that further changes are not possible. This is a security measure in order to prevent any malicious adjustments.
```
$response->getHeader()->set('content-security-policy', 'script-src \'self\' \'sha256-' . base64_encode(hash('sha256', $script, true)) . '\'; frame-src \'self\'', true);
$response->getHeader()->set('content-security-policy', 'script-src \'self\' \'sha256-' . base64_encode(hash('sha256', $script, true)) . '\'; child-src \'self\'', true);
```
### X-XSS-Protection