Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.Content Security Policy (CSP) can be implemented by adding a Content-Security-Policy header. The value of this header is a string containing the policy directives describing your Content Security Policy. To implement CSP, you should define lists of allowed origins for the all of the types of resources that your site utilizes. For example, if you have a simple site that needs to load scripts, stylesheets, and images hosted locally, as well as from the jQuery library from their CDN, the CSP header could look like the following:
add_header Content-Security-Policy "default-src 'self' localhost 'unsafe-inline' 'unsafe-eval' blob: data: ;";
It was detected that your web application doesn't implement Content Security Policy (CSP) as the CSP header is missing from the response. It's recommended to implement Content Security Policy (CSP) into your web application.
nginx
在http、server、location下添加 add_header Content-Security-Policy
例如:
server{
add_header Content-Security-Policy "default-src 'self' localhost 'unsafe-inline' 'unsafe-eval' blob: data: ;";
}
or
location{
add_header Content-Security-Policy "default-src 'self' localhost 'unsafe-inline' 'unsafe-eval' blob: data: ;";
}
参考:
https://imququ.com/post/content-security-policy-reference.html
https://www.cnblogs.com/miracle-luna/p/14274341.html