Skip to content

Commit

Permalink
Merge pull request #1506 from aleksandrychev/ENT-4400_3.21.x
Browse files Browse the repository at this point in the history
ENT-4400: Added Content-Security-Policy header to the Apache httpd config (3.21.x)
  • Loading branch information
craigcomstock authored Oct 11, 2024
2 parents 95d0591 + 12ab6d3 commit 92a5a26
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions deps-packaging/apache/httpd.conf
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,23 @@ LogLevel warn
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

Header always set Content-Security-Policy \
"frame-ancestors 'self'; \
default-src 'self'; \
script-src 'self' 'unsafe-inline'; \
style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
object-src 'none'; \
frame-src 'self'; \
child-src 'self'; \
img-src 'self' data: blob: avatars.githubusercontent.com badges.gitter.im fonts.gstatic.com kiwiirc.com raw.githubusercontent.com; \
font-src 'self' data: fonts.googleapis.com fonts.gstatic.com; \
connect-src 'self' fonts.gstatic.com fonts.googleapis.com; \
manifest-src 'self'; \
base-uri 'self'; \
form-action 'self'; \
media-src 'self'; \
worker-src 'self' blob:;"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
Expand Down

0 comments on commit 92a5a26

Please sign in to comment.