diff options
author | bnewbold <bnewbold@robocracy.org> | 2016-06-09 20:28:19 -0400 |
---|---|---|
committer | bnewbold <bnewbold@robocracy.org> | 2016-06-09 20:28:19 -0400 |
commit | 054d2805727dc7b7a74b9643529d935a42a7c920 (patch) | |
tree | 593aed1a4832d9d41821f0495b95ce963dfad765 /roles/nginx | |
parent | 3d073769c78bd66b6dfbc921627e8572ee7cc8c9 (diff) | |
download | infra-054d2805727dc7b7a74b9643529d935a42a7c920.tar.gz infra-054d2805727dc7b7a74b9643529d935a42a7c920.zip |
nginx: Content-Security-Policy that doesn't clobber inline css (WTF)
Diffstat (limited to 'roles/nginx')
-rw-r--r-- | roles/nginx/HOWTO_new_site.txt | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/roles/nginx/HOWTO_new_site.txt b/roles/nginx/HOWTO_new_site.txt index 0989efd..8126739 100644 --- a/roles/nginx/HOWTO_new_site.txt +++ b/roles/nginx/HOWTO_new_site.txt @@ -40,8 +40,8 @@ For SSL stuff, add this to the body: ssl_certificate /etc/letsencrypt/live/<cert-name>/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/<cert-name>/privkey.pem; - - add_header Content-Security-Policy "default-src 'self'"; + + add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'"; add_header X-Frame-Options "SAMEORIGIN"; # 'always' if nginx > 1.7.5 add_header X-Content-Type-Options "nosniff"; # 'always' if nginx > 1.7.5 add_header X-Xss-Protection "1"; |