Fli
08-20-2017, 10:31 PM
Hello,
https://content-security-policy.com/ says that CSP "helps you reduce XSS risks on modern browsers" and at https://securityheaders.io/ one can discover current website state regarding CSP.
In my case i reduced XSS risks by adding this to my .htaccess file:
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy strict-origin-when-cross-origin
Header always set Content-Security-Policy "default-src https: 'self' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to https://cjshare.com *.cjshare.com *.cleverjump.org *.jsdelivr.net https://sharebutton.net *.sharebutton.net; style-src 'self' 'unsafe-inline' *.jsdelivr.net; img-src data: *; object-src 'none'"
If you are going to create your own Content Security Policy (CSP) rule, then i recommend this rule tester: https://csp-evaluator.withgoogle.com/
https://content-security-policy.com/ says that CSP "helps you reduce XSS risks on modern browsers" and at https://securityheaders.io/ one can discover current website state regarding CSP.
In my case i reduced XSS risks by adding this to my .htaccess file:
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy strict-origin-when-cross-origin
Header always set Content-Security-Policy "default-src https: 'self' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.tawk.to *.cloudflare.com *.google-analytics.com wss://*.tawk.to https://cjshare.com *.cjshare.com *.cleverjump.org *.jsdelivr.net https://sharebutton.net *.sharebutton.net; style-src 'self' 'unsafe-inline' *.jsdelivr.net; img-src data: *; object-src 'none'"
If you are going to create your own Content Security Policy (CSP) rule, then i recommend this rule tester: https://csp-evaluator.withgoogle.com/