Content Security Headers

Aus wiki.sehanka.de
Version vom 13. April 2023, 13:33 Uhr von Sebastian.kalms (Diskussion | Beiträge) (→‎Permissions-Policy)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springen Zur Suche springen

Bereiche

Content Security Policy

upgrade-insecure-requests

Syntax 

upgrade-insecure-requests;

frame-ancestors

Syntax 

frame-ancestors 'self';

form-action

Syntax 

form-action 'self';

base-uri

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri

Syntax 

base-uri 'self';


connect-src

Syntax 

connect-src 'self' data: maps.googleapis.com;

font-src

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src

Syntax 

font-src 'self';

img-src 'self'

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src

Syntax 

img-src 'self';

manifest-src

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src

Syntax 

manifest-src 'self';

object-src

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src

Syntax 

object-src 'self';

script-src

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

Syntax 

script-src 'self' 'unsafe-eval' 'unsafe-inline' 'report-sample';

style-src

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src

Syntax 

style-src 'self' 'unsafe-inline' 'report-sample';

worker-src

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src

Syntax 

worker-src 'self';

ToDo

default-src

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

Syntax 

default-src 'self';

Strict-Transport-Security

Syntax in .htaccess 

Header set Strict-Transport-Security "max-age=2592000; includeSubDomains; preload"

X-Content-Type-Options

Syntax in .htaccess 

Header set X-Content-Type-Options "nosniff"

X-Frame-Options

Syntax in .htaccess 

Header set x-frame-options "sameorigin"

Referrer-Policy

Integration

via HTML

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html

Syntax 

<meta name="referrer" content="same-origin" />

via .htaccess

Syntax 

Header set Referrer-Policy "same-origin"

Permissions-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy

Syntax in .htaccess 

Header set Permissions-Policy "geolocation=()"
Abgerufen von „https://wiki.sehanka.de/index.php?title=Content_Security_Headers&oldid=388