Jingga/Developer-Guide
1
0
Fork 0
mirror of https://github.com/Karaka-Management/Developer-Guide.git synced 2026-02-04 23:18:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update CSP

Browse Source
This commit is contained in:
Dennis Eichhorn 2016-11-23 23:54:58 +01:00
parent 2fe4d243a0
commit 07482fe5c7
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
security/security_guidelines.md
View File

@ -56,13 +56,13 @@ Scripts and frames must be provided by the own server or google. This is importa
The default CSP looks like the following: The default CSP looks like the following:
``` ```
$response->getHeader()->set('content-security-policy', 'script-src \'self\'; frame-src \'self\'', true); $response->getHeader()->set('content-security-policy', 'script-src \'self\'; child-src \'self\'', true);
``` ```
In order to whitelist inline javascript you can use the following logic. This however requires you to know the inline script beforehand `$script`. After setting the CSP header they automatically get locked so that further changes are not possible. This is a security measure in order to prevent any malicious adjustments. In order to whitelist inline javascript you can use the following logic. This however requires you to know the inline script beforehand `$script`. After setting the CSP header they automatically get locked so that further changes are not possible. This is a security measure in order to prevent any malicious adjustments.
``` ```
$response->getHeader()->set('content-security-policy', 'script-src \'self\' \'sha256-' . base64_encode(hash('sha256', $script, true)) . '\'; frame-src \'self\'', true); $response->getHeader()->set('content-security-policy', 'script-src \'self\' \'sha256-' . base64_encode(hash('sha256', $script, true)) . '\'; child-src \'self\'', true);
``` ```
### X-XSS-Protection ### X-XSS-Protection