Skip to content

Commit 55068b5

Browse files
JPrevostJPrevost
committed
CSP exploration
1 parent a1fbf1a commit 55068b5

File tree

2 files changed

+20
-19
lines changed

2 files changed

+20
-19
lines changed

config/environments/production.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@
6666

6767
# Use a different cache store in production.
6868
# config.cache_store = :mem_cache_store
69+
config.cache_store = :redis_cache_store, { url: ENV['REDIS_URL'] }
6970

7071
# Use a real queuing backend for Active Job (and separate queues per environment).
7172
# config.active_job.queue_adapter = :resque

config/initializers/content_security_policy.rb

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -4,22 +4,22 @@
44
# See the Securing Rails Applications Guide for more information:
55
# https://guides.rubyonrails.org/security.html#content-security-policy-header
66

7-
# Rails.application.configure do
8-
# config.content_security_policy do |policy|
9-
# policy.default_src :self, :https
10-
# policy.font_src :self, :https, :data
11-
# policy.img_src :self, :https, :data
12-
# policy.object_src :none
13-
# policy.script_src :self, :https
14-
# policy.style_src :self, :https
15-
# # Specify URI for violation reports
16-
# # policy.report_uri "/csp-violation-report-endpoint"
17-
# end
18-
#
19-
# # Generate session nonces for permitted importmap, inline scripts, and inline styles.
20-
# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
21-
# config.content_security_policy_nonce_directives = %w(script-src style-src)
22-
#
23-
# # Report violations without enforcing the policy.
24-
# # config.content_security_policy_report_only = true
25-
# end
7+
Rails.application.configure do
8+
config.content_security_policy do |policy|
9+
policy.default_src :self, :https
10+
policy.font_src :self, :https, :data
11+
policy.img_src :self, :https, :data
12+
policy.object_src :none
13+
policy.script_src :self, :https, :unsafe_inline
14+
policy.style_src :self, :https, :unsafe_inline
15+
# Specify URI for violation reports
16+
# policy.report_uri "/csp-violation-report-endpoint"
17+
end
18+
#
19+
# Generate session nonces for permitted importmap, inline scripts, and inline styles.
20+
# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
21+
# config.content_security_policy_nonce_directives = %w(script-src style-src)
22+
#
23+
# Report violations without enforcing the policy.
24+
config.content_security_policy_report_only = true
25+
end

0 commit comments

Comments
 (0)