Replace link for creating CSP (#1564)

* Replace link for creating CSP

* Update extra-security.conf to match upstream

* Update extra-security.conf without overwriting the three upper options

Author: Dyras

roles/nginx/templates/h5bp/directive-only/extra-security.conf

@@ -10,8 +10,27 @@ add_header X-Content-Type-Options nosniff always;
 # The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
 add_header X-XSS-Protection "1; mode=block" always;
 
-# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
-# you can tell the browser that it can only download content from the domains you explicitly allow
-# CSP can be quite difficult to configure, and cause real issues if you get it wrong
-# There is website that helps you generate a policy here http://cspisawesome.com/
+# Mitigate the risk of cross-site scripting and other content-injection
+# attacks.
+#
+# This can be done by setting a Content Security Policy which permits
+# trusted sources of content for your website.
+#
+# There is no policy that fits all websites, you will have to modify the
+# `Content-Security-Policy` directives in the example depending on your needs.
+#
+# To make your CSP implementation easier, you can use an online CSP header
+# generator such as:
+# https://report-uri.com/home/generate/
+#
+# It is encouraged that you validate your CSP header using a CSP validator
+# such as:
+# https://csp-evaluator.withgoogle.com
+#
+# https://www.w3.org/TR/CSP/
+# https://owasp.org/www-project-secure-headers/#content-security-policy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# https://developers.google.com/web/fundamentals/security/csp
+# https://content-security-policy.com/
+
 # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;