diff options
| author | Matthew Somerville <matthew@mysociety.org> | 2019-11-22 08:24:07 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew@mysociety.org> | 2019-11-25 12:25:59 +0000 |
| commit | f0d7a3babca129a8ffd6d7aa4de9aaa74df475ed (patch) | |
| tree | 37e622e6d9efc9616d20e83398847f28b9db2671 /docs | |
| parent | 399a38c4636fac6ce4a2eb21053604ba74309a36 (diff) | |
Add configuration for setting CSP header.
This allows you to output a working Content-Security-Policy header, with
optional third-party domains, by setting a new CONTENT_SECURITY_POLICY
configuration option.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/customising/config.md | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/docs/customising/config.md b/docs/customising/config.md index d83e00472..f3a023b1b 100644 --- a/docs/customising/config.md +++ b/docs/customising/config.md @@ -56,6 +56,7 @@ The following are all the configuration settings that you can change in `conf/ge * <code><a href="#base_url">BASE_URL</a></code> * <code><a href="#secure_proxy_ssl_header">SECURE_PROXY_SSL_HEADER</a></code> +* <code><a href="#content_security_policy">CONTENT_SECURITY_POLICY</a></code> * <code><a href="#geo_cache">GEO_CACHE</a></code> * <code><a href="#admin_base_url">ADMIN_BASE_URL</a></code> @@ -202,6 +203,33 @@ The following are all the configuration settings that you can change in `conf/ge </dd> <dt> + <a name="content_security_policy"><code>CONTENT_SECURITY_POLICY</code></a> + </dt> + <dd> + A Content-Security-Policy header can prevent cross-site scripting, + clickjacking and other code injection attacks (see + <a href="https://en.wikipedia.org/wiki/Content_Security_Policy">Wikipedia</a> + for more). To have FixMyStreet output such a header, set this setting to 1. + If you load third-party JavaScript on your site, you will need to set this + setting to a space-separated list of domains; whatever is here, if not 1, + will be included in the header output. + <div class="more-info"> + <p>Example:</p> + <ul class="examples"> + <li> + <code>CONTENT_SECURITY_POLICY: 1</code> + </li> + <li> + <code>CONTENT_SECURITY_POLICY: 'www.example.org other.example.org'</code> + </li> + <li> + <code>CONTENT_SECURITY_POLICY: [ 'www.example.org', 'other.example.org' ]</code> + </li> + </ul> + </div> + </dd> + + <dt> <a name="email_domain"><code>EMAIL_DOMAIN</code></a>, <a name="contact_email"><code>CONTACT_EMAIL</code></a> & <a name="contact_name"><code>CONTACT_NAME</code></a> |