mystamps
mystamps copied to clipboard
php-coder
Add Content-Security-Policy header
See for details:
- https://content-security-policy.com/
- http://cspisawesome.com/
- https://httpsecurityreport.com/best_practice.html#contentSecurityPolicy
- https://scotthelme.co.uk/content-security-policy-an-introduction/
- https://60devs.com/using-content-security-policy.html
- http://docs.spring.io/spring-security/site/docs/4.2.x/reference/htmlsingle/#headers-csp
- https://github.com/shapesecurity/salvation and http://cspvalidator.org/
- https://csp-evaluator.withgoogle.com
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
- https://rapidsec.com/analyze
- https://cspscanner.com
- https://cspscanner.com/csp-bypasses
- https://medium.com/@bhaveshthakur2015/content-security-policy-csp-bypass-techniques-e3fa475bfe5d
- https://devdocs.io/http-csp/
- https://www.hardenize.com
- Mixed content not blocked: This CSP policy doesn't use any of the directives designed to handle mixed content. Consider using the 'block-all-mixed-content' and 'upgrade-insecure-requests' directives as appropriate to ensure that no mixed content is allowed.
- Form targets not restricted: The 'form-action' directive is not explicitly set. Because this directive doesn't fall back to default sources, this means that all targets are allowed.
Explicitly specify directives that aren't covered by default-src (like form-action, see https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5).
Read also: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
Could be useful, here are the Jenkins CSP rules: https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy