Project

General

Profile

Todo #6647

Enable CSP for GUI

Added by Chris Buechler 9 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Category:
Web Interface
Target version:
Start date:
07/26/2016
Due date:
% Done:

0%


Description

The nginx instance for the web GUI should enable CSP. Just adding the following works:

add_header Content-Security-Policy "default-src 'self';";

though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.

Adding upgrade-insecure-requests while there wouldn't hurt either.

History

#1 Updated by Jim Thompson 6 months ago

  • Assignee set to Renato Botelho

Also available in: Atom PDF