From f0d7a3babca129a8ffd6d7aa4de9aaa74df475ed Mon Sep 17 00:00:00 2001 From: Matthew Somerville Date: Fri, 22 Nov 2019 08:24:07 +0000 Subject: Add configuration for setting CSP header. This allows you to output a working Content-Security-Policy header, with optional third-party domains, by setting a new CONTENT_SECURITY_POLICY configuration option. --- docs/customising/config.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'docs/customising') diff --git a/docs/customising/config.md b/docs/customising/config.md index d83e00472..f3a023b1b 100644 --- a/docs/customising/config.md +++ b/docs/customising/config.md @@ -56,6 +56,7 @@ The following are all the configuration settings that you can change in `conf/ge * BASE_URL * SECURE_PROXY_SSL_HEADER +* CONTENT_SECURITY_POLICY * GEO_CACHE * ADMIN_BASE_URL @@ -201,6 +202,33 @@ The following are all the configuration settings that you can change in `conf/ge +
+ CONTENT_SECURITY_POLICY +
+
+ A Content-Security-Policy header can prevent cross-site scripting, + clickjacking and other code injection attacks (see + Wikipedia + for more). To have FixMyStreet output such a header, set this setting to 1. + If you load third-party JavaScript on your site, you will need to set this + setting to a space-separated list of domains; whatever is here, if not 1, + will be included in the header output. +
+

Example:

+
    +
  • + CONTENT_SECURITY_POLICY: 1 +
  • +
  • + CONTENT_SECURITY_POLICY: 'www.example.org other.example.org' +
  • +
  • + CONTENT_SECURITY_POLICY: [ 'www.example.org', 'other.example.org' ] +
  • +
+
+
+
EMAIL_DOMAIN, CONTACT_EMAIL & -- cgit v1.2.3