tex: final CSP bits
This commit is contained in:
parent
98fda96f9e
commit
b029ddeede
15
tex/text.tex
15
tex/text.tex
|
@ -530,15 +530,16 @@ targeted and not overly broad. To give an example, a website that loads no
|
||||||
JavaScript at all does not need to allow a popular CDN (Content Delivery
|
JavaScript at all does not need to allow a popular CDN (Content Delivery
|
||||||
Network) origin in its \texttt{script-src}, instead it should be set to
|
Network) origin in its \texttt{script-src}, instead it should be set to
|
||||||
\texttt{'none'}. CSP can also aid with clickjacking protection using its
|
\texttt{'none'}. CSP can also aid with clickjacking protection using its
|
||||||
\texttt{frame-ancestors} directive, which could limit origins that could be
|
\texttt{frame-ancestors} directive, which could limit origins that could embed
|
||||||
embed the website, preventing attacker from embedding the website at random
|
the website, preventing attacker from embedding the website at random places,
|
||||||
places.
|
that is malicious websites that masquerade as being legitimate.
|
||||||
|
|
||||||
Getting CSP right can be tricky at first but once grokked, it is relatively
|
Getting CSP right can be tricky at first but once grokked, it is relatively
|
||||||
straight-forward and can increase the security of the site greatly. There are
|
straight-forward and can increase the security of the site greatly. While
|
||||||
many more directives and settings than mentioned in this section, the author
|
testing, it is best to enable CSP in the report-only mode before turning it on
|
||||||
encourages anybody interested to give it a read, e.g.\ at
|
in production. There are many more directives and settings than mentioned in
|
||||||
\url{https://web.dev/csp/}.
|
this section, the author encourages anybody interested to give it a read, e.g.\
|
||||||
|
at \url{https://web.dev/csp/}.
|
||||||
|
|
||||||
\n{2}{Summary}
|
\n{2}{Summary}
|
||||||
|
|
||||||
|
|
Reference in New Issue