Add CSP postHEADmaster

1 files changed, 27 insertions, 0 deletions

diff --git a/_posts/2025-09-04-activating-csp-for-my-blog.md b/_posts/2025-09-04-activating-csp-for-my-blog.md
new file mode 100644
index 0000000..49a985b
--- /dev/null
+++ b/_posts/2025-09-04-activating-csp-for-my-blog.md
@@ -0,0 +1,27 @@
+---
+layout: post
+title: Activating CSP for my blog
+date: 2025-09-03 19:29 +0200
+lang: en
+categories: tech
+---
+
+Recently, I stumbled across a [media.ccc.de](https://media.ccc.de/) talk about [internal.nl](https://internet.nl/).
+Basically, this is a website that tests your website security.
+
+For me, it deducted points for missing HTTP headers. Amongst them,
+[`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP).
+Basically, that header says what content may be loaded on the website.
+Especially, it can prevent loading stuff from external sites. (Cross Site Scripting as attack scenario).
+
+So, basically, it doesn't add *much* value for my blog, since this is a static site and I control the content.
+Sure, there is my comment system, but even that I consider safe enough to handle escaping. So
+setting the header was mostly done to score fake internet points only. But also, a chance to learn something.
+
+Because, even after adding `self` and my domains to the respective header fields, some stuff would not work.
+Mainly because of inline scripts and inline styles. So I put them in separate js files and created CSS classes.
+
+One thing that doesn't work anymore are avatars for the ActivityPub comments (and probably for the Isso comments?).
+This is because I have no idea from what servers I will get comments. So, I replaced the avatars by a grey square.
+
+And that's it already, really.