You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

3.7 KiB

+++ title = "Content Security Policy" description = "Control resources the user agent is allowed to load." categories = ["security"] tags = ["privacy", "xss", "csp"] features = ["code highlighter", "related content", "snippets"] [blackfriday] smartypants = false copyright owner = "Josh Habdas" date = "2019" license = "agpl-3.0-or-later" +++

After Dark helps you secure your site using Content Security Policy (CSP). Basic CSP is enabled by default and [Advanced Configurations]({{< relref "#advanced-configuration" >}}) are also possible.

Basic CSP offers minimal protection but is still helpful as it keeps resources from accidentally being loaded over http. In addition, Basic CSP automatically blocks all Flash and Silverlight objects before they have a chance to load.

Basic Configuration

Disable CSP site-wide add the following to your site config:

[params]
  disable_csp = true # disable site-wide

Disable CSP for a specific page using front matter:

disable_csp = true # disable for page

Advanced Configuration

Advanced configuration allows you to fine-tune policy directives based on your specific needs. To get started specify at least 1 CSP directive in site config.

{{% hackcss-alert type="info" %}}Note: You may wish to {{< external "https://gohugo.io/getting-started/usage/#disable-livereload" "Disable LiveReload" />}} while defining advanced config.{{% /hackcss-alert %}}

Define the {{< external "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src" "script-src" />}} directive site-wide:

[params.security.csp.directives]
  scriptSrc = [
    "'self'",
    "'unsafe-inline'",
    "https:",
    "'sha512-Jx/MqTxYWqHdoOkHItRJJZCvFDhERPr5gG4I5ESu3V+BgQyAQ6wXfdsGzhzmT0yyvkAWz2jbrn81q90RRJTSTg=='",
    "'sha512-hno7WeTIciCJSjg/myjyK30HYkrcGCVwo4g4SpUalvrs3r2lS7bPNIQwbCNypKbg7BZ1sA4AsGnk6Gq4NOKpGA=='",
    "'sha512-ISTAV0GadOIz/NXXHOS&+eCM0ysXVVHhQTlvA6LJxz/DeA5yIxm0Vqf5IE&+WH0yuuXkayAKtoZkQ326nch5f/fg=='",
    "'strict-dynamic'"
  ]

This will override the script-src directive's advanced default:

Directive Mapping Advanced Default
default-src defaultSrc 'none'
connect-src connectSrc 'self'
worker-src workerSrc 'self'
font-src fontSrc 'self'
media-src mediaSrc 'self'
img-src imgSrc 'self' data:
script-src scriptSrc 'none'
style-src styleSrc 'self' 'unsafe-inline'
frame-src frameSrc 'self'
object-src objectSrc 'none'

Once set, view the Content-Security-Policy meta tag in the head of your page and inspect the console for errors as you navigate to different pages. Each time you encounter an error caused by CSP is an opportunity to improve your policy.

Add page-specific directives from page front matter using the same structure and naming conventions used in site config to append items for that page:

[security.csp.directives]
  scriptSrc = [
    "'sha512-TKVuLlCT8+a0Chpa6Pw3clhu9fhZ9JOzgblgxQaUQVP/z4lfPnrdyWDOgucORnS2qapWu/iPVG2d0ywyGH2NjA=='"
  ]

{{% hackcss-alert type="info" %}}Note: Page-specific directives will not override any site-wide setting and will not apply without first overriding its advanced default via site config.{{% /hackcss-alert %}}

Continue overriding advanced defaults as necessary until all CSP errors are resolved or you're satisfied with the changes.

Additional Resources