Jason, Rather than putting the headers in Sling, I'd recommend supplying the CSP in your caching (httpd etc) layer. Something like this:
Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com" Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com" Header set Content-Security-Policy "default-src https: data: 'unsafe-inline'" I use this on my personal site and have an A rating: https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F Regards, Dan On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey <j...@apache.org> wrote: > If you're not familiar with them > > https://tools.ietf.org/html/rfc7231 > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > > I'm wondering if anyone has used the CSP to secure javascript and styles > successfully in Sling and what techniques did they use to get there. > > I'm about to raise an issue with our vendor because of lack of support, > but I like to try to avoid tickets if necessary. > > - Jason >