Merge pull request #1505 from aleksandrychev/ENT-4400_3.24.x

ENT-4400: Added Content-Security-Policy header to the Apache httpd config (3.24.x)
cfengine · Oct 11, 2024 · 6f9b4bb · 6f9b4bb
2 parents 40b25d3 + f6a403d
commit 6f9b4bb
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/deps-packaging/apache/httpd.conf b/deps-packaging/apache/httpd.conf
@@ -199,6 +199,23 @@ LogLevel warn
     Header always set X-Frame-Options DENY
     Header always set X-Content-Type-Options nosniff
 
+    Header always set Content-Security-Policy \
+        "frame-ancestors 'self'; \
+        default-src 'self'; \
+        script-src 'self' 'unsafe-inline'; \
+        style-src 'self' 'unsafe-inline' fonts.googleapis.com; \
+        object-src 'none'; \
+        frame-src 'self'; \
+        child-src 'self'; \
+        img-src 'self' data: blob: avatars.githubusercontent.com badges.gitter.im fonts.gstatic.com kiwiirc.com raw.githubusercontent.com; \
+        font-src 'self' data: fonts.googleapis.com fonts.gstatic.com; \
+        connect-src 'self' fonts.gstatic.com fonts.googleapis.com; \
+        manifest-src 'self'; \
+        base-uri 'self'; \
+        form-action 'self'; \
+        media-src 'self'; \
+        worker-src 'self' blob:;"
+
     <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
     </FilesMatch>