Content-Security-Policy從 2010 年被提出來的一項網頁檔頭規格,目的是用來防止 Cross-Site Scripting(簡稱XSS)跟跨網域網頁外掛置換。
範例:
server {
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' http://connect.facebook.net https://d.line-scdn.net;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
}
directives 後面不需加冒號
錯誤:default-src: ‘self’
正確:default-src ‘self’
directives 之間以分號區隔
錯誤:default-src ‘self’, script-src ‘self’
正確:default-src ‘self’; script-src ‘self’
多個 source 之間僅以空白區隔
錯誤:default-src ‘self’; img-src ‘self’, img1.devco.re, img2.devco.re
正確:default-src ‘self’; img-src ‘self’ web1.nc.com.tw web2.nc.com.tw
某些 source 必須加冒號(https:、data:)
錯誤:default-src ‘self’; img-src ‘self’ https data
正確:default-src ‘self’; img-src ‘self’ https: data:
某些 source 必須用單引號括起來(’none’、’self’、’unsafe-inline’、’unsafe-eval’)
錯誤:script-src self unsafe-inline unsafe-eval
正確:script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’