Document how to configure Content-Security-Policy header

[carlalexander]

Working on adding support for security headers in debops.nginx. But even with the changes, the Content-Security-Policy header is hard to configure right and is turned off by default.

The security cookbook should be updated to explain how to configure the Content-Security-Policy header. Explain how to setup reporting at to see if a policy works. Then how to use tools like securityheaders.io and report-uri.io to craft a good policy for your site.

[carlalexander]

Just added support for the Content-Security-Policy header. I made some changes to the default header compared to the debops.nginx role. The important difference with WordPress is that you need to use 'unsafe-eval' and 'unsafe-inline' since themes and plugins output styles and scripts inline.