rieth.dev / practice
practice doing this
fork atom
practice / config / initializers / content_security_policy.rb
at main 1.3 kB view raw
1# Be sure to restart your server when you modify this file. 2 3# Define an application-wide content security policy. 4# See the Securing Rails Applications Guide for more information: 5# https://guides.rubyonrails.org/security.html#content-security-policy-header 6 7# Rails.application.configure do 8# config.content_security_policy do |policy| 9# policy.default_src :self, :https 10# policy.font_src :self, :https, :data 11# policy.img_src :self, :https, :data 12# policy.object_src :none 13# policy.script_src :self, :https 14# policy.style_src :self, :https 15# # Specify URI for violation reports 16# # policy.report_uri "/csp-violation-report-endpoint" 17# end 18# 19# # Generate session nonces for permitted importmap, inline scripts, and inline styles. 20# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } 21# config.content_security_policy_nonce_directives = %w(script-src style-src) 22# 23# # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag` 24# # if the corresponding directives are specified in `content_security_policy_nonce_directives`. 25# # config.content_security_policy_nonce_auto = true 26# 27# # Report violations without enforcing the policy. 28# # config.content_security_policy_report_only = true 29# end