Add a Content Security Policy

nginx/nginx.conf

@@ -63,6 +63,12 @@ http {
       # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
       add_header X-Xss-Protection "1; mode=block" always;
 
+      # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
+      # you can tell the browser that it can only download content from the domains you explicitly allow
+      # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+      # https://www.owasp.org/index.php/Content_Security_Policy
+      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://cdn.materialdesignicons.com https://fonts.gstatic.com/; object-src 'none'";
+
       location /admin {
           alias /var/www/html/admin;
           index index.html;