Generate automated hashes and add to CSP header

Question

Generate automated hashes and add to CSP header

Opened this issue 2 years ago · 3 comments

In order to have a relatively secure ruleset in our CSP header, we would want to allow both script-src and inline Javascript files based on their content hashes. We might generate these hashes during build and inject them into our _headers file and in the DOM.

Answer 1 · 2022-06-10T15:08:50.000Z

Hugo has a built-in "fingerprint" function, which automatically generates hashes for script files.
Maybe we could use that exact same hashes for the _headers?

Answer 2 · 2022-06-10T15:19:48.000Z

@sebil Sounds like a plan! Haven't tested yet, but the default hash function used by Hugo is sha256, so exactly what we need.

Answer 3 · 2022-06-10T15:22:24.000Z

Mind you, I'm not sure about the cost-benefit of this idea. We'll see.