Content Security Policy(CSP)
Content Security Policy (CSP) Notes
- Information that goes into the HTTP header
- A whitelist for security
- If you never put it into the HTTP header in the first place, you won’t run into a situation where something stops working because of CSP
- Since there is no whitelist, everything is allowed
- It must be added on the server via the HTTP header setting
- You can also add it in the Apache web server
- You can also add it via an HTML meta tag)**
- Adding it via a meta tag is less strict than adding the CSP via the header
- Even if unsafe-inline is not specified, you can still run inline JavaScript (such as a React build output file).
- Adding it via a meta tag is less strict than adding the CSP via the header
- For security, it’s better to set up a CSP
- Of course
- The level of support differs from browser to browser
- Safari does not support all of it
- So depending on the browser, you need to branch the header settings appropriately in the Apache web server
- Safari does not support all of it
Reference: Content Security Policy
20210729
Leave a comment