1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
---
layout: post
title: Activating CSP for my blog
date: 2025-09-03 19:29 +0200
lang: en
categories: tech
---
Recently, I stumbled across a [media.ccc.de](https://media.ccc.de/) talk about [internal.nl](https://internet.nl/).
Basically, this is a website that tests your website security.
For me, it deducted points for missing HTTP headers. Amongst them,
[`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP).
Basically, that header says what content may be loaded on the website.
Especially, it can prevent loading stuff from external sites. (Cross Site Scripting as attack scenario).
So, basically, it doesn't add *much* value for my blog, since this is a static site and I control the content.
Sure, there is my comment system, but even that I consider safe enough to handle escaping. So
setting the header was mostly done to score fake internet points only. But also, a chance to learn something.
Because, even after adding `self` and my domains to the respective header fields, some stuff would not work.
Mainly because of inline scripts and inline styles. So I put them in separate js files and created CSS classes.
One thing that doesn't work anymore are avatars for the ActivityPub comments (and probably for the Isso comments?).
This is because I have no idea from what servers I will get comments. So, I replaced the avatars by a grey square.
And that's it already, really.
|
