installation/caddyfile-pleroma.example: Add Content-Security-Policy

author shibayashi <shibayashi@cypherpunk.observer>

Tue, 28 Aug 2018 23:16:13 +0000 (01:16 +0200)

committer shibayashi <shibayashi@cypherpunk.observer>

Tue, 28 Aug 2018 23:16:13 +0000 (01:16 +0200)
author shibayashi <shibayashi@cypherpunk.observer>
Tue, 28 Aug 2018 23:16:13 +0000 (01:16 +0200)
committer shibayashi <shibayashi@cypherpunk.observer>
Tue, 28 Aug 2018 23:16:13 +0000 (01:16 +0200)
diff --git a/installation/caddyfile-pleroma.example b/installation/caddyfile-pleroma.example

index ed24fc16c72f656bd4f7bec9250f62172730003b..29496d1d71860af372e035aa9f12e4fbe2e9d049 100644 (file)
--- a/installation/caddyfile-pleroma.example
+++ b/installation/caddyfile-pleroma.example
@@ -22,6 +22,7 @@ social.domain.tld  {
      Referrer-Policy "same-origin"
      Strict-Transport-Security "max-age=31536000; includeSubDomains;"
      Expect-CT "enforce, max-age=2592000"
+    Content-Security-Policy "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://social.domain.tld; upgrade-insecure-requests;"
    }
  
    # If you do not want remote frontends to be able to access your Pleroma backend server, remove these lines.
author	shibayashi <shibayashi@cypherpunk.observer>
	Tue, 28 Aug 2018 23:16:13 +0000 (01:16 +0200)
committer	shibayashi <shibayashi@cypherpunk.observer>
	Tue, 28 Aug 2018 23:16:13 +0000 (01:16 +0200)