SecureHeaders

SecureHeaders copied to clipboard

base-uri must be defined to have blocking behaviour. If default-src is not defined many directives will have no fallback (and so will operate as if * was specified if they too are undefined by the CSP). Some key directives that should not be emitted include:

• default-src (obviously)
• object-src
• script-src
• style-src

SecureHeaders should emit a warning if any directive that falls back to default-src is absent from CSP and default-src is also absent.

We should also enumerate things that do not fallback to default-src (like base-uri) and warn about these separately (regardless of whether default-src is present).