tex: final CSP bits
This commit is contained in:
parent
98fda96f9e
commit
b029ddeede
15
tex/text.tex
15
tex/text.tex
|
@ -530,15 +530,16 @@ targeted and not overly broad. To give an example, a website that loads no
|
|||
JavaScript at all does not need to allow a popular CDN (Content Delivery
|
||||
Network) origin in its \texttt{script-src}, instead it should be set to
|
||||
\texttt{'none'}. CSP can also aid with clickjacking protection using its
|
||||
\texttt{frame-ancestors} directive, which could limit origins that could be
|
||||
embed the website, preventing attacker from embedding the website at random
|
||||
places.
|
||||
\texttt{frame-ancestors} directive, which could limit origins that could embed
|
||||
the website, preventing attacker from embedding the website at random places,
|
||||
that is malicious websites that masquerade as being legitimate.
|
||||
|
||||
Getting CSP right can be tricky at first but once grokked, it is relatively
|
||||
straight-forward and can increase the security of the site greatly. There are
|
||||
many more directives and settings than mentioned in this section, the author
|
||||
encourages anybody interested to give it a read, e.g.\ at
|
||||
\url{https://web.dev/csp/}.
|
||||
straight-forward and can increase the security of the site greatly. While
|
||||
testing, it is best to enable CSP in the report-only mode before turning it on
|
||||
in production. There are many more directives and settings than mentioned in
|
||||
this section, the author encourages anybody interested to give it a read, e.g.\
|
||||
at \url{https://web.dev/csp/}.
|
||||
|
||||
\n{2}{Summary}
|
||||
|
||||
|
|
Reference in New Issue