CSP SPIP
Exemple (HAD) :
Header set Strict-Transport-Security: “max-age=31536000 ; includeSubDomains ;” env=HTTPS
Header set X-Frame-Options: SAMEORIGIN
Header set X-Content-Type-Options: nosniff
block file when "style" and the MIME type is not text/css, or "script" and the MIME type is not a js MIME type
Header set X-XSS-Protection “1; mode=block” Protège attaque XSS
Header set Content-Security-Policy “default-src 'self' 'unsafe-inline' *.had-nantesetregion.fr *.google.com *.google.fr *.gstatic.com *.googleapis.com *.google-analytics.com *.googletagmanager.com” Header set Content-Security-Policy “script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google-analytics.com *.googletagmanager.com *.googleapis.com”
Se référer aux plugins, bibliothèques utiliser pour ne pas les bloquer Wildcard possible Si pas de …-src disponible, default-src devient le fallback Check console pour voir les erreurs et adaptés ses conditions en fonction
Doc utiliser :
https://gf.dev/csp-test https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src https://stackoverflow.com/