cheat sheet:
https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp-in-3-steps.html
example:
https://content-security-policy.com/examples/#:~:text=Here's%20a%20simple%20example%20of,%2Dsrc%20and%20img%2Dsrc%20.
Here's a simple example of a Content-Security-Policy header:
Content-Security-Policy: default-src 'self'; img-src 'self' cdn.example.com;
In this example CSP policy you find two CSP directives: default-src and img-src.
The default-src directive restricts what URLs resources can be fetched from the document that set the Content-Security-Policy header. This includes images (img-src), css files (script-src), js files (script-src), etc.
We have set the default-src directive to `self` which means the same origin, or same domain and scheme.
By adding the img-src directive to our policy we can override the default-src directive and provide a policy specific to loading images. In this case we are allowing images to be loaded from 'self' and the domain cdn.example.com.
Check out the Content-Security-Policy header reference for a full list of directives.
No comments:
Post a Comment