george/PrivateBin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

introducing CSP header to mitigate XSS attacks, closes #10

Browse Source
This commit is contained in:
El RIDO
2016-08-09 14:46:32 +02:00
parent a28aebae7d
commit addb666a23
11 changed files with 75 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cfg/conf.ini.sample
View File

@@ -59,6 +59,13 @@ languageselection = false
; and a rainbow table is generated for all IPs. Enabled by default.
; vizhash = false
; Content Security Policy headers allow a website to restrict what sources are
; allowed to be accessed in its context. You need to change this if you added
; custom scripts from third-party domains to your templates, e.g. tracking
; scripts or run your site behind certain DDoS-protection services.
; Check the documentation at https://content-security-policy.com/
cspheader = "default-src 'none'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self';"
; stay compatible with PrivateBin Alpha 0.19, less secure
; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
; sha256 in HMAC for the deletion token