建站之 CSP

Content Security Policy，简称 CSP，定义页面可以加载哪些资源，增强安全性。

我的配置如下

add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection '1; mode=block';
add_header Content-Security-Policy "default-src https: 'self'; script-src https: 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.dujun.io; style-src https: 'self' 'unsafe-inline' https://cdn.dujun.io; img-src https: 'self' data: https://cdn.dujun.io; object-src https: 'self' 'unsafe-inline' https://cdn.dujun.io; child-src https: 'self'";