bitrated
bitrated copied to clipboard
Content-Security-Policy
Should use the following header:
Content-Security-Policy:
default-src https://www.bitrated.com/;
frame-src 'none';
object-src 'none';
connect-src https://www.bitrated.com/ https://blockchain.info/ https://coinb.in/;
report-uri /csp-violation/
This is pretty much as strict as it can get. This instructs the browser to:
- Block resources that don't originate from bitrated.com over SSL
- Block XmlHttpRequests except for blockchain.info and coinb.in APIs
- Block inline scripts
- Block eval (not that it does much against XSS, but why not)
- Block iframes and objects completely (those aren't currently used)
- Send violation reports to an API endpoint.
Todo:
- [ ] Move inline script that tests browser support to a separate file
- [ ] Check for other inline script usages (there shouldn't be any)
- [ ] Add header on dev environment
- [ ] Ensure nothing breaks (mostly by disallowing
eval
- not used in Bitrated, but might be used in one of the libraries) - [ ] API for violation reports, forward to email
- [ ] Update security page
- [ ] Push live