Format `Content-Security-Policy` header directives
Closed this issue · 4 comments
After implementing the included CSP and running it against e.g. https://csp-evaluator.withgoogle.com/ and others, plus a lot of reading, I came up with:
<IfModule mod_headers.c>
Header always set Content-Security-Policy "
default-src 'self' gap:;
style-src 'self' https://fonts.googleapis.com;
font-src 'self' data: https://fonts.gstatic.com;
img-src 'self' data: content:;
script-src 'nonce-rAnd0m' 'strict-dynamic';
media-src 'self';
base-uri 'none';
form-action 'self';
frame-ancestors 'none';
object-src 'none';
require-trusted-types-for 'script';
upgrade-insecure-requests"
"expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
</IfModule>
I think that provides a better launch pad for users than the current - both formatting for readability and a more complete list of arguments.
Thanks for opening this issue @dcog989.
The one-per-line-attribute rule sounds good, would you like to open a pull request?
On their actual values, let's keep them as strict per default for now.
Hey. Yeah, I'd be happy to do that.
I was also wondering if the project would be interested in a significant reformat of the entire document, which I think could be improved for brevity and clarity. E.g.:
Existing:
"Using `.htaccess` files slows down Apache, therefore, if you have access to the main server configuration file (which is usually called `httpd.conf`), you should add this logic there."
Proposed:
".htaccess slows down Apache so use the main server configuration file (usually `httpd.conf`) if possible."
Also, improve consistency of comments and section formatting using syntax from https://github.com/aaron-bond/better-comments (even if a user doesn't employ that extension, the comments would have useful notation?). E.g.:
Hey. Yeah, I'd be happy to do that.
Cool, thanks! 👍
I was also wondering if the project would be interested in a significant reformat of the entire document, which I think could be improved for brevity and clarity. E.g.:
Let's stay simple for now, one thing at a time.
Also, .htaccess
file is auto-generated, based on the files already in a proper structure.
Also, improve consistency of comments and section formatting using syntax from aaron-bond/better-comments
Interesting project, but this might be overkill for H5BP boilerplate. Let's stay simple here as well 🙂
OK. Understood. I'll sort out the pull request as specced. :)