Content Security Headers: Unterschied zwischen den Versionen

Aus wiki.sehanka.de
Zur Navigation springen Zur Suche springen
 
(16 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 54: Zeile 54:
</pre>
</pre>


== ToDo ==
=== font-src ===
 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
 
Syntax
 
<pre>
font-src 'self';
</pre>


=== img-src 'self' ===  
=== img-src 'self' ===  
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src


Syntax
Syntax


<pre>
<pre>
img-src 'self' blob: data:;
img-src 'self';
</pre>
</pre>


=== manifest-src ===  
=== manifest-src ===  
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src


Syntax
Syntax


<pre>
<pre>
manifest-src 'self' data:;
manifest-src 'self';
</pre>
</pre>


=== object-src ===  
=== object-src ===  
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src


Syntax
Syntax
Zeile 80: Zeile 94:
</pre>
</pre>


=== script-src ===  
=== script-src ===
 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src


Syntax
Syntax
Zeile 88: Zeile 104:
</pre>
</pre>


=== style-src ===  
=== style-src ===
 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src


Syntax
Syntax
Zeile 97: Zeile 115:


=== worker-src ===  
=== worker-src ===  
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src


Syntax
Syntax
Zeile 103: Zeile 123:
worker-src 'self';
worker-src 'self';
</pre>
</pre>
== ToDo ==


=== default-src ===  
=== default-src ===  
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src


Syntax
Syntax
Zeile 113: Zeile 137:


== Strict-Transport-Security ==  
== Strict-Transport-Security ==  
Syntax in .htaccess
<pre>
Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"
</pre>


== X-Content-Type-Options ==  
== X-Content-Type-Options ==  
Syntax in .htaccess
<pre>
Header set X-Content-Type-Options "nosniff"
</pre>


== X-Frame-Options ==
== X-Frame-Options ==


== Referrer-Policy ==  
Syntax in .htaccess
 
<pre>
Header set x-frame-options "sameorigin"
</pre>
 
== Referrer-Policy ==
 
=== Integration ===
 
==== via HTML ====
 
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html
 
Syntax
 
<pre>
<meta name="referrer" content="same-origin" />
</pre>
 
==== via .htaccess ====
 
Syntax
 
<pre>
Header set Referrer-Policy "same-origin"
</pre>


== Permissions-Policy ==
== Permissions-Policy ==


* https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy
 
Syntax in .htaccess
<pre>
Header set Permissions-Policy "geolocation=()"
</pre>

Aktuelle Version vom 13. April 2023, 13:33 Uhr

Bereiche[Bearbeiten]

Content Security Policy[Bearbeiten]

upgrade-insecure-requests[Bearbeiten]

Syntax 

upgrade-insecure-requests;

frame-ancestors[Bearbeiten]

Syntax 

frame-ancestors 'self';

form-action[Bearbeiten]

Syntax 

form-action 'self';

base-uri[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri

Syntax 

base-uri 'self';


connect-src[Bearbeiten]

Syntax 

connect-src 'self' data: maps.googleapis.com;

font-src[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src

Syntax 

font-src 'self';

img-src 'self'[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src

Syntax 

img-src 'self';

manifest-src[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src

Syntax 

manifest-src 'self';

object-src[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src

Syntax 

object-src 'self';

script-src[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Syntax 

script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample';

style-src[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

Syntax 

style-src 'self' 'unsafe-inline' 'report-sample';

worker-src[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src

Syntax 

worker-src 'self';

ToDo[Bearbeiten]

default-src[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

Syntax 

default-src 'self';

Strict-Transport-Security[Bearbeiten]

Syntax in .htaccess 

Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"

X-Content-Type-Options[Bearbeiten]

Syntax in .htaccess 

Header set X-Content-Type-Options "nosniff"

X-Frame-Options[Bearbeiten]

Syntax in .htaccess 

Header set x-frame-options "sameorigin"

Referrer-Policy[Bearbeiten]

Integration[Bearbeiten]

via HTML[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html

Syntax 

<meta name="referrer" content="same-origin" />

via .htaccess[Bearbeiten]

Syntax 

Header set Referrer-Policy "same-origin"

Permissions-Policy[Bearbeiten]

https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy

Syntax in .htaccess 

Header set Permissions-Policy "geolocation=()"
Abgerufen von „https://wiki.sehanka.de/index.php?title=Content_Security_Headers&oldid=388