caddy icon indicating copy to clipboard operation
caddy copied to clipboard
verified publisher icon caddyserver

browse: add Content-Security-Policy w/ nonce

Open steffenbusch opened this issue 1 year ago • 0 comments

This pull request is adding a Content-Security-Policy (CSP) response header to the file server browse template. The CSP Version 3 is using strict-dynamic for script-src and style-src with a generated, unique nonce, which is then used in <script> and <style> to whitelist the content of such elements.

Also:

  • Styles from svg such as the caddy-logo, have been changed into svg-attributes.
  • Moved inline JavaScript from body or href attribute to a dedicated

See also: https://caddy.community/t/best-practice-csp-for-file-server-browse/24714

Right now, the CSP is enabled by default with $enableCsp := true, so it would be also rather easy to disable it with this single change in a custom browse templates.

At the moment, this browse template is active here: https://alma.stbu.net/testing-something/

steffenbusch avatar Jun 29 '24 18:06 steffenbusch