use a table to configure CSP headers

Alan Pearce alan@alanpearce.eu

Sat, 27 Apr 2024 21:18:03 +0200

commit

6993154ea89c56798cda9b3b114289807ccbc4f1

parent

a4aafcbee5e06b8138e3b6ee8a88bb0fdd5b88db

1 files changed, 34 insertions(+), 1 deletions(-)

jump to

config.toml

M config.toml → config.toml

@@ -15,10 +15,43 @@ name = "tags" feed = true
 
 
+[content-security-policy]
+default-src = [
+  "'none'",
+]
+form-action = [
+  "'none'",
+]
+base-uri = [
+  "'none'",
+]
+image-src = [
+  "'self'",
+  "https://gc.zgo.at",
+]
+script-src = [
+  "'self'",
+  "https://gc.zgo.at",
+]
+style-src = [
+  # index.html style
+  "'sha256-a4TPKWHB0aSu7cV10GthTEySTJ0w4r0bw6Q8JsNYMbk='",
+  # atom.xml style
+  "'sha256-gyxzfgCOxeAAL8URUdaW2nHYDOr9bzbwFjgSqi7D+8U='",
+]
+frame-ancestors = [
+  "https://kagi.com",
+]
+connect-src = [
+  "https://alanpearce-eu.goatcounter.com/count",
+]
+require-trusted-types-for = [
+  "'script'",
+]
+
 [extra.headers]
 cache-control = "max-age=14400"
 x-content-type-options = "nosniff"
-content-security-policy = "default-src 'none'; img-src 'self' https://gc.zgo.at; script-src 'self' https://gc.zgo.at; style-src 'unsafe-inline'; frame-ancestors https://kagi.com; connect-src https://alanpearce-eu.goatcounter.com/count; require-trusted-types-for 'script'"
 
 [[menus.main]]
     name = "Home"

all repos — website @ 6993154ea89c56798cda9b3b114289807ccbc4f1

My website