Added content-security policy for SVG files in webserver config

jbtronics · jbtronics · commit 2b694731ad97 · 2025-05-18T20:38:53.000+02:00
diff --git a/docs/installation/nginx.md b/docs/installation/nginx.md
@@ -52,6 +52,11 @@ server {
     location ~ \.php$ {
         return 404;
     }
+    
+    # Set Content-Security-Policy for svg files, to block embedded javascript in there
+    location ~* \.svg$ {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';";
+    }
 
     error_log /var/log/nginx/parts.error.log;
     access_log /var/log/nginx/parts.access.log;
diff --git a/public/.htaccess b/public/.htaccess
@@ -118,3 +118,10 @@ DirectoryIndex index.php
         # RedirectTemp cannot be used instead
     </IfModule>
 </IfModule>
+
+# Set Content-Security-Policy for svg files (and compressed variants), to block embedded javascript in there
+<IfModule mod_headers.c>
+    <FilesMatch "\.(svg|svg\.gz|svg\.br)$">
+        Header set Content-Security-Policy "default-src 'self'; script-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
+    </FilesMatch>
+</IfModule>
