[arch-devops] [RFC] Better security through Content Security Policy and other headers.

Florian Pritz bluewind at xinu.at
Sat Aug 4 08:00:17 UTC 2018

On Sat, Aug 04, 2018 at 12:34:10AM +0200, Jelle van der Waa <jelle at vdwaa.nl> wrote:
> add_header Content-Security-Policy "default-src 'self'; style-src 'self'; font-src 'self'; form-action 'self';"

I assume, that our javascript/css is static so we might want to move it to a
subdomain and only allow that subdomain.

Apart from that I like the idea(s)!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20180804/874031a1/attachment.asc>

More information about the arch-devops mailing list