Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
we are trying to implement security headers on our website and one of them is Content-Security-Policy.
I started adding sources that we trust, but i am having issues opening umbraco back office because it's trying to execute inline scripts.
Also issue that i faced is that if i try putting hash value i always get "new one" it' looks like script is "generated" on the file, or there are 10+ scripts that are printed end executed inline.
Is there any easy workaround for this issue that we are facing?
I wrote about this in depth here: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/
Basically you need to ignore umbraco paths like so:
<urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
<remove name="X-Frame-Options" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
<remove name="Content-Security-Policy" />
<add name="Content-Security-Policy" value="default-src 'self' www.gravatar.com player.vimeo.com *.vimeocdn.com packages.umbraco.org our.umbraco.org;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: www.gravatar.com umbraco.tv;font-src 'self';" />
Do you have an updated link? It seems that the link now goes to default Umbraco installation screen.
Thank you :)
this worked thank you a lot!
is working on a reply...
Write your reply to:
Image will be uploaded when post is submitted