Currently, OWASP update the Header issue
To protect against Cross-Site Scripting, set the 'default-src' policy, or 'script-src' AND 'object-src' with proper values. Insecure values such as '*', 'data:', 'unsafe-inline', or 'unsafe-eval' should be avoided.
Protect against Cross-Frame Scripting or clickjacking, set the 'frame-ancestors' policy with proper values. Insecure values such as '*' or 'data:' should be avoided.
A protected resource’s ability to load Workers is now controlled via child-src rather than script-src
b base-uri controls the protected resource’s ability to specify the document base URL.
child-src deprecates and replaces frame-src, controlling the protected resource’s ability to embed frame
F Form-action controls the protected resource’s ability to submit forms
frame ansector controls the protected resource’s ability be embedded in other documents.
Content-Security-Policy: frame-ancestors 'self' example.com *.example.net ;
To prevent all framing of your content use:
Content-Security-Policy: frame-ancestors 'none';
To allow for your site only, use:
Content-Security-Policy: frame-ancestors 'self';
To allow for your site only, use:
Content-Security-Policy: frame-ancestors 'self';
<add name="Content-Security-Policy"
value="frame-ancestors 'self' child-src 'self' *URL you website"
/>
No comments:
Post a Comment