Add Content Security Policy (CSP) to enhance security #1118
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request introduces a Content Security Policy (CSP) to the devFind application. The CSP is designed to enhance the security of the application by restricting the sources from which content can be loaded. This helps to reduce the risk of cross-site scripting (XSS) and other injection attacks.
Related Issues
#1117
Changes Proposed
default-src 'none';
: Disallows all content by default.script-src 'self' 'unsafe-inline';
: Allows scripts only from the same origin and inline scripts.style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
: Permits styles from the same origin, inline styles, and Google Fonts.font-src 'self' https://fonts.gstatic.com;
: Restricts font loading to the same origin and Google Fonts.img-src 'self' https://github.com/ https://avatars.githubusercontent.com/ https://pbs.twimg.com;
: Allows images from the same origin, GitHub, and Twitter.manifest-src 'self';
: Restricts the web app manifest to the same origin.connect-src 'self';
: Limits network connections to the same origin.base-uri 'self';
: Ensures that the base URL is restricted to the same origin.form-action 'self';
: Restricts form submissions to the same origin.Checklist
Screenshots
Note to reviewers
Please review the CSP configuration to ensure it does not inadvertently block legitimate content. Testing across various environments is recommended to verify that all functionality remains intact while enhancing security.