mirre-mt/ masters-thesis
Archived
1
0
Fork 0
Code Releases 1 Activity

tex: final CSP bits

This commit is contained in:
leo 2023-05-25 13:15:51 +02:00
parent 98fda96f9e
commit b029ddeede
Signed by: wanderer
SSH Key Fingerprint: SHA256:Dp8+iwKHSlrMEHzE3bJnPng70I7LEsa3IJXRH/U+idQ
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
tex/text.tex
View File

@ -530,15 +530,16 @@ targeted and not overly broad. To give an example, a website that loads no
JavaScript at all does not need to allow a popular CDN (Content Delivery
Network) origin in its \texttt{script-src}, instead it should be set to
\texttt{'none'}. CSP can also aid with clickjacking protection using its
\texttt{frame-ancestors} directive, which could limit origins that could be
embed the website, preventing attacker from embedding the website at random
places.
\texttt{frame-ancestors} directive, which could limit origins that could embed
the website, preventing attacker from embedding the website at random places,
that is malicious websites that masquerade as being legitimate.
Getting CSP right can be tricky at first but once grokked, it is relatively
straight-forward and can increase the security of the site greatly. There are
many more directives and settings than mentioned in this section, the author
encourages anybody interested to give it a read, e.g.\ at
\url{https://web.dev/csp/}.
straight-forward and can increase the security of the site greatly. While
testing, it is best to enable CSP in the report-only mode before turning it on
in production. There are many more directives and settings than mentioned in
this section, the author encourages anybody interested to give it a read, e.g.\
at \url{https://web.dev/csp/}.
\n{2}{Summary}