CSP headers
I'm trying to figure out if I can secure the site a bit more with the help of Content Security Policy (CSP). We can tighten up XSS attacks, and only allow certain content to be loaded from certain places (for instance, we could not inject javascript directly because the site (and thus your browser) tells it not to trust/run it.
However, the main problem with this is that we are using alpine.js framework for some javascript functionality on the site. This framework uses a system that requires eval()
and thus we must allow unsafe javascript to be able to run on the site. This pretty much defeats the purpose.
There is a non-eval version of alpinejs called alpinejs-csp. But it has a lot of constraints and is not officially released so I don't want to use it for now.
About jaytaph
Codemuser extraordinaire
Joined: | March 24, 2023 |
Following: | 2 |
Followers: | 2 |
Posts: | 51 |
Comments: | 3 |
Upvotes: | 4 |
Previous musings
- (1) December 2024
- (1) November 2024
- (1) October 2024
- (1) September 2024
- (1) July 2024
- (2) February 2024
- (3) January 2024
- (3) December 2023
- (4) November 2023
- (5) October 2023
- (10) September 2023
- (8) August 2023
- (1) June 2023
- (1) May 2023
- (4) April 2023
- (5) March 2023