Follow best practices for CSP compliance

[GeekInTheNorth]

It is best practice for both the Website UI and the CMS Backend to be covered by security headers including a CSP. Damage to a brand can be achieved by via gaining accessing the back end using phishing attacks etc and so this too should be protected.

When a Content Security Policy is used to govern the entire platform (including the CMS backend), then the CSP currently has to be opened to include the dependencies for this module. This includes multiple packages under the cdn.jsdeliver.net domain and depending how specific the CSP is, this can potentially open the entirety of the site the cdn.jsdeliver.net domain.

It would be more ideal for the assets used for the Geta Not Found Handler to be accessible purely using the 'self' source. This can be achieved by packing these libraries into the modules\_protected\Geta.NotFoundHandler.Optimizely folder and self serving them.

[nma76]

I agree to that. There's no way I'll add cdn.jsdelivr.net to our CSP, and packing these resources isn't a big task.

And also, the installation instructions should probably mention CSP since (i hope) most sites use them and it won't work at all with out adding cdn.jsdelivr.net to frame-ancestor, script-src and style-src.

[AnInternetTroll]

If you need to vendor those dependencies or upgrade them independently of Geta or whatever consider overwriting the following config variables

https://github.com/Geta/geta-notfoundhandler/blob/657b281f4e9176b81136c45564e34ca10ba34e3c/src/Geta.NotFoundHandler/Infrastructure/Configuration/NotFoundHandlerOptions.cs#L32-L37