-
Notifications
You must be signed in to change notification settings - Fork 12
Content Security Policy (CSP)
Sven Eberth edited this page Feb 20, 2019
·
1 revision
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
Use securityheaders.addCspRule() to set the content security policy rules and violations. You have to call addCspRule() from your projects main file before calling server.setup().
This is an example configuration to allow different content-security policies from several trusted domains.
from server import conf, securityheaders
securityheaders.addCspRule("default-src", "*.gstatic.com", "enforce")
securityheaders.addCspRule("script-src", "unsafe-inline", "enforce")
securityheaders.addCspRule("script-src", "*.googleapis.com", "enforce")
securityheaders.addCspRule("script-src", "*.google.com", "enforce")
securityheaders.addCspRule("script-src", "*.gstatic.com", "enforce")
securityheaders.addCspRule("script-src", "*.google-analytics.com", "enforce")
securityheaders.addCspRule("script-src", "*.jquery.com", "enforce")
securityheaders.addCspRule("img-src", "*.google-analytics.com", "enforce")
securityheaders.addCspRule("img-src", "data:", "enforce")
securityheaders.addCspRule("img-src", "unsafe-inline", "enforce")
securityheaders.addCspRule("img-src", "unsafe-eval", "enforce")
securityheaders.addCspRule("style-src", "fonts.googleapis.com", "enforce")
securityheaders.addCspRule("frame-src", "*.youtube-nocookie.com", "enforce")
securityheaders.addCspRule("frame-src", "*.youtube.com", "enforce")
securityheaders.addCspRule("frame-src", "*.google.com", "enforce")