-
-
Save douglasresende/62fa36177c7a1dda4bee9327e8462e4d to your computer and use it in GitHub Desktop.
Revisions
-
ambroisemaupate revised this gist
Mar 4, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,4 +25,4 @@ add_header X-XSS-Protection "1; mode=block"; # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src 'self' *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'"; -
Mar 4, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,4 +25,4 @@ add_header X-XSS-Protection "1; mode=block"; # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' vps124171.ovh.net *.youtube.com maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src vps124171.ovh.net *.youtube.com assets.zendesk.com *.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'self'"; -
Feb 3, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,28 @@ # config to don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options add_header X-Frame-Options SAMEORIGIN; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, # to disable content-type sniffing on some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 add_header X-Content-Type-Options nosniff; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for # this particular website if it was disabled by the user. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers add_header X-XSS-Protection "1; mode=block"; # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.owasp.org/index.php/Content_Security_Policy # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' maps.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com connect.facebook.net; frame-src assets.zendesk.com www.facebook.com s-static.ak.facebook.com tautt.zendesk.com; object-src 'none'";