I should have been more specific. I have a security person who wants us to remove the unsafe-inline for the javascript. This has taken up so much of my focus that I forget all about the rest of it.
To pull off the removal of the unsafe-inline you have to use hashes for the javascript or a nonce that changes every time you request the page. This is where my mind starts to explode. -- Jason On Fri, Jan 10, 2020, at 2:13 PM, Daniel Klco wrote: > Jason, > > Rather than putting the headers in Sling, I'd recommend supplying the CSP > in your caching (httpd etc) layer. Something like this: > > Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com"; > > Header set X-XSS-Protection "1; mode=block" > > Header set X-Content-Type-Options "nosniff" > > Header set Feature-Policy "sync-xhr 'self' https://www.danklco.com"; > > Header set Content-Security-Policy "default-src https: data: > 'unsafe-inline'" > > > I use this on my personal site and have an A rating: > https://securityheaders.com/?q=https%3A%2F%2Fwww.danklco.com%2F > > Regards, > Dan > > > On Fri, Jan 10, 2020 at 12:26 PM Jason E Bailey <j...@apache.org> wrote: > > > If you're not familiar with them > > > > https://tools.ietf.org/html/rfc7231 > > https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP > > > > I'm wondering if anyone has used the CSP to secure javascript and styles > > successfully in Sling and what techniques did they use to get there. > > > > I'm about to raise an issue with our vendor because of lack of support, > > but I like to try to avoid tickets if necessary. > > > > - Jason > > >
