diff options
| -rw-r--r-- | _posts/2025-09-04-activating-csp-for-my-blog.md | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/_posts/2025-09-04-activating-csp-for-my-blog.md b/_posts/2025-09-04-activating-csp-for-my-blog.md new file mode 100644 index 0000000..49a985b --- /dev/null +++ b/_posts/2025-09-04-activating-csp-for-my-blog.md @@ -0,0 +1,27 @@ +--- +layout: post +title: Activating CSP for my blog +date: 2025-09-03 19:29 +0200 +lang: en +categories: tech +--- + +Recently, I stumbled across a [media.ccc.de](https://media.ccc.de/) talk about [internal.nl](https://internet.nl/). +Basically, this is a website that tests your website security. + +For me, it deducted points for missing HTTP headers. Amongst them, +[`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP). +Basically, that header says what content may be loaded on the website. +Especially, it can prevent loading stuff from external sites. (Cross Site Scripting as attack scenario). + +So, basically, it doesn't add *much* value for my blog, since this is a static site and I control the content. +Sure, there is my comment system, but even that I consider safe enough to handle escaping. So +setting the header was mostly done to score fake internet points only. But also, a chance to learn something. + +Because, even after adding `self` and my domains to the respective header fields, some stuff would not work. +Mainly because of inline scripts and inline styles. So I put them in separate js files and created CSS classes. + +One thing that doesn't work anymore are avatars for the ActivityPub comments (and probably for the Isso comments?). +This is because I have no idea from what servers I will get comments. So, I replaced the avatars by a grey square. + +And that's it already, really. |