From 5a8d1a9c896d7beadceeb63b5a3feeb201db6667 Mon Sep 17 00:00:00 2001 From: Ihor Aleksandrychiev Date: Fri, 11 Oct 2024 12:12:46 +0300 Subject: [PATCH] Added Content-Security-Policy header to the Apache httpd config Ticket: ENT-4400 Signed-off-by: Ihor Aleksandrychiev --- deps-packaging/apache/httpd.conf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/deps-packaging/apache/httpd.conf b/deps-packaging/apache/httpd.conf index 6a98248fa..73bbcddd6 100644 --- a/deps-packaging/apache/httpd.conf +++ b/deps-packaging/apache/httpd.conf @@ -199,6 +199,23 @@ LogLevel warn Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff + Header always set Content-Security-Policy \ + "frame-ancestors 'self'; \ + default-src 'self'; \ + script-src 'self' 'unsafe-inline'; \ + style-src 'self' 'unsafe-inline' fonts.googleapis.com; \ + object-src 'none'; \ + frame-src 'self'; \ + child-src 'self'; \ + img-src 'self' data: blob: avatars.githubusercontent.com badges.gitter.im fonts.gstatic.com kiwiirc.com raw.githubusercontent.com; \ + font-src 'self' data: fonts.googleapis.com fonts.gstatic.com; \ + connect-src 'self' fonts.gstatic.com fonts.googleapis.com; \ + manifest-src 'self'; \ + base-uri 'self'; \ + form-action 'self'; \ + media-src 'self'; \ + worker-src 'self' blob:;" + SSLOptions +StdEnvVars