About Features Downloads Getting Started Documentation Events Support GitHub

Love VuFind®? Consider becoming a financial supporter. Your support helps build a better VuFind®!

VuFind Documentation

Site Tools

You are here: start » administration » security » content_security_policy
Trace:
Warning: This page has not been updated in over over a year and may be outdated or deprecated.
administration:security:content_security_policy

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
administration:security:content_security_policy [2020/07/24 05:50] – [Best Practices / Recommendations] xmorave2administration:security:content_security_policy [2020/07/24 05:52] – [Best Practices / Recommendations] xmorave2
Line 32: Line 32:
   * By default, VuFind is set up to be fairly permissive about which scripts it will execute; if you are not using any options that rely on external scripts, or if you can reliably eliminate the use of non-HTTPS files, you should consider applying more restrictive settings than the defaults.   * By default, VuFind is set up to be fairly permissive about which scripts it will execute; if you are not using any options that rely on external scripts, or if you can reliably eliminate the use of non-HTTPS files, you should consider applying more restrictive settings than the defaults.
   * By default, VuFind assumes that all CSS styles, images and fonts will be served up locally; if you are using any services (like Google fonts for example) or customizations that pull these resources in from third-party sites, you will need to set up more permissive settings.   * By default, VuFind assumes that all CSS styles, images and fonts will be served up locally; if you are using any services (like Google fonts for example) or customizations that pull these resources in from third-party sites, you will need to set up more permissive settings.
-  * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should turn off report_only settings for your production site in order to improve security.+  * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should change 'enable' settings from 'report_only' to 'true' for your production site in order to improve security.
  
  
administration/security/content_security_policy.txt · Last modified: 2024/04/11 13:51 by demiankatz