mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-20 17:15:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added content-security policy for SVG files in webserver config

Browse source
This commit is contained in:
Jan Böhmer 2025-05-18 20:38:53 +02:00
parent 7e34535e62
commit 2b694731ad
2 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/installation/nginx.md
View file

@ -53,6 +53,11 @@ server {
return 404;
}
# Set Content-Security-Policy for svg files, to block embedded javascript in there
location ~* \.svg$ {
add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';";
}
error_log /var/log/nginx/parts.error.log;
access_log /var/log/nginx/parts.access.log;

7
public/.htaccess
View file

@ -118,3 +118,10 @@ DirectoryIndex index.php
# RedirectTemp cannot be used instead
</IfModule>
</IfModule>
# Set Content-Security-Policy for svg files (and compressed variants), to block embedded javascript in there
<IfModule mod_headers.c>
<FilesMatch "\.(svg|svg\.gz|svg\.br)$">
Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
</FilesMatch>
</IfModule>