CSP headers

Created at 2023-04-12 07:33:38 (10 months ago)

I'm trying to figure out if I can secure the site a bit more with the help of Content Security Policy (CSP). We can tighten up XSS attacks, and only allow certain content to be loaded from certain places (for instance, we could not inject javascript directly because the site (and thus your browser) tells it not to trust/run it.

However, the main problem with this is that we are using alpine.js framework for some javascript functionality on the site. This framework uses a system that requires eval() and thus we must allow unsafe javascript to be able to run on the site. This pretty much defeats the purpose.

There is a non-eval version of alpinejs called alpinejs-csp. But it has a lot of constraints and is not officially released so I don't want to use it for now.

csp alpinejs

About jaytaph

Codemuser extraordinaire

avatar Loves building crazy and insane stuff. Happiest when left alone. All I wanted was a Pepsi, just a Pepsi.
Joined:March 24, 2023
RSS feed