groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-06-30 14:31:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Set CSP policy for static assets for security hardeninng

Browse source
This commit is contained in:
Jan Böhmer 2026-06-20 23:42:01 +02:00
parent 0cd83f0322
commit b62f47ba05
6 changed files with 29 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

11
public/.htaccess
View file

@ -119,9 +119,14 @@ DirectoryIndex index.php
</IfModule>
</IfModule>
# Set Content-Security-Policy for svg files (and compressed variants), to block embedded javascript in there
<IfModule mod_headers.c>
# Set a strict CSP for all static assets not handled by PHP.
# PHP responses already carry their own CSP via NelmioSecurityBundle, so setifempty leaves those untouched.
Header always setifempty Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; sandbox;"
Header always setifempty X-Content-Type-Options "nosniff"
# SVG files get a slightly different CSP because they can embed resources and must not be framed.
<FilesMatch "\.(svg|svg\.gz|svg\.br)$">
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
Header always set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none'; sandbox;"
</FilesMatch>
</IfModule>
</IfModule>