Add default-src for CSP

MioVisman · MioVisman · commit f7a9465889c3 · 2025-04-25T16:40:11.000+07:00
Don't forget to set up security headers for your forums.
Choose the most restrictive CSP settings.
diff --git a/.dist.htaccess b/.dist.htaccess
@@ -10,7 +10,7 @@ AddDefaultCharset UTF-8
   #
   ### Only works in Apache 2.4.10+ (Reason, condition  -> "expr = -z% {resp: ...}") ###
   #
-  Header always set Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"
+  Header always set Content-Security-Policy "default-src 'self';object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"
   Header always set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" "expr=-z %{resp:Feature-Policy}"
   Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
 # for https only mode
diff --git a/nginx.dist.conf b/nginx.dist.conf
@@ -11,7 +11,7 @@ server {
     charset utf-8;
     server_tokens off;
 
-    add_header Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" always;
+    add_header Content-Security-Policy "default-src 'self';object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" always;
     add_header Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 #   add_header Strict-Transport-Security "max-age=31536000" always;  # for https only

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ AddDefaultCharset UTF-8`
`10`	`10`	`#`
`11`	`11`	`### Only works in Apache 2.4.10+ (Reason, condition -> "expr = -z% {resp: ...}") ###`
`12`	`12`	`#`
`13`		`- Header always set Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"`
	`13`	`+ Header always set Content-Security-Policy "default-src 'self';object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"`
`14`	`14`	`Header always set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" "expr=-z %{resp:Feature-Policy}"`
`15`	`15`	`Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"`
`16`	`16`	`# for https only mode`