Content Security Headers: Unterschied zwischen den Versionen
| (24 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 24: | Zeile 24: | ||
</pre> | </pre> | ||
=== form-action === | |||
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action | |||
Syntax | |||
img-src 'self' | |||
<pre> | |||
form-action 'self'; | |||
</pre> | |||
=== base-uri === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri | |||
Syntax | |||
<pre> | |||
base-uri 'self'; | |||
</pre> | |||
=== connect-src === | |||
Syntax | |||
<pre> | |||
connect-src 'self' data: maps.googleapis.com; | |||
</pre> | |||
=== font-src === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src | |||
Syntax | |||
<pre> | |||
font-src 'self'; | |||
</pre> | |||
=== img-src 'self' === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src | |||
Syntax | |||
<pre> | |||
img-src 'self'; | |||
</pre> | |||
=== manifest-src === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src | |||
Syntax | |||
<pre> | |||
manifest-src 'self'; | |||
</pre> | |||
=== object-src === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src | |||
Syntax | |||
<pre> | |||
object-src 'self'; | |||
</pre> | |||
=== script-src === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src | |||
Syntax | |||
<pre> | |||
script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample'; | |||
</pre> | |||
=== style-src === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src | |||
Syntax | |||
<pre> | |||
style-src 'self' 'unsafe-inline' 'report-sample'; | |||
</pre> | |||
=== worker-src === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src | |||
Syntax | |||
<pre> | |||
worker-src 'self'; | |||
</pre> | |||
== ToDo == | |||
=== default-src === | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src | |||
Syntax | |||
<pre> | |||
default-src 'self'; | |||
</pre> | |||
== Strict-Transport-Security == | == Strict-Transport-Security == | ||
Syntax in .htaccess | |||
<pre> | |||
Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload" | |||
</pre> | |||
== X-Content-Type-Options == | == X-Content-Type-Options == | ||
Syntax in .htaccess | |||
<pre> | |||
Header set X-Content-Type-Options "nosniff" | |||
</pre> | |||
== X-Frame-Options == | == X-Frame-Options == | ||
== Referrer-Policy == | Syntax in .htaccess | ||
<pre> | |||
Header set x-frame-options "sameorigin" | |||
</pre> | |||
== Referrer-Policy == | |||
=== Integration === | |||
==== via HTML ==== | |||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html | |||
Syntax | |||
<pre> | |||
<meta name="referrer" content="same-origin" /> | |||
</pre> | |||
==== via .htaccess ==== | |||
Syntax | |||
<pre> | |||
Header set Referrer-Policy "same-origin" | |||
</pre> | |||
== Permissions-Policy == | == Permissions-Policy == | ||
https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy | |||
Syntax in .htaccess | |||
<pre> | |||
Header set Permissions-Policy "geolocation=()" | |||
</pre> | |||
Aktuelle Version vom 13. April 2023, 13:33 Uhr
Bereiche[Bearbeiten]
Content Security Policy[Bearbeiten]
upgrade-insecure-requests[Bearbeiten]
Syntax
upgrade-insecure-requests;
frame-ancestors[Bearbeiten]
Syntax
frame-ancestors 'self';
form-action[Bearbeiten]
Syntax
form-action 'self';
base-uri[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
Syntax
base-uri 'self';
connect-src[Bearbeiten]
Syntax
connect-src 'self' data: maps.googleapis.com;
font-src[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
Syntax
font-src 'self';
img-src 'self'[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
Syntax
img-src 'self';
manifest-src[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src
Syntax
manifest-src 'self';
object-src[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
Syntax
object-src 'self';
script-src[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
Syntax
script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample';
style-src[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
Syntax
style-src 'self' 'unsafe-inline' 'report-sample';
worker-src[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src
Syntax
worker-src 'self';
ToDo[Bearbeiten]
default-src[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
Syntax
default-src 'self';
Strict-Transport-Security[Bearbeiten]
Syntax in .htaccess
Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"
X-Content-Type-Options[Bearbeiten]
Syntax in .htaccess
Header set X-Content-Type-Options "nosniff"
X-Frame-Options[Bearbeiten]
Syntax in .htaccess
Header set x-frame-options "sameorigin"
Referrer-Policy[Bearbeiten]
Integration[Bearbeiten]
via HTML[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html
Syntax
<meta name="referrer" content="same-origin" />
via .htaccess[Bearbeiten]
Syntax
Header set Referrer-Policy "same-origin"
Permissions-Policy[Bearbeiten]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy
Syntax in .htaccess
Header set Permissions-Policy "geolocation=()"