From 054d2805727dc7b7a74b9643529d935a42a7c920 Mon Sep 17 00:00:00 2001 From: bnewbold Date: Thu, 9 Jun 2016 20:28:19 -0400 Subject: nginx: Content-Security-Policy that doesn't clobber inline css (WTF) --- roles/nginx/HOWTO_new_site.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles') diff --git a/roles/nginx/HOWTO_new_site.txt b/roles/nginx/HOWTO_new_site.txt index 0989efd..8126739 100644 --- a/roles/nginx/HOWTO_new_site.txt +++ b/roles/nginx/HOWTO_new_site.txt @@ -40,8 +40,8 @@ For SSL stuff, add this to the body: ssl_certificate /etc/letsencrypt/live//fullchain.pem; ssl_certificate_key /etc/letsencrypt/live//privkey.pem; - - add_header Content-Security-Policy "default-src 'self'"; + + add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; add_header X-Frame-Options "SAMEORIGIN"; # 'always' if nginx > 1.7.5 add_header X-Content-Type-Options "nosniff"; # 'always' if nginx > 1.7.5 add_header X-Xss-Protection "1"; -- cgit v1.2.3