Differences

This shows you the differences between two versions of the page.

--- administration:security:content_security_policy [2020/07/24 05:50] – [Best Practices / Recommendations] xmorave2
+++ administration:security:content_security_policy [2020/09/22 13:26] – demiankatz
@@ Line 11: / Line 11: @@
 ==== Configuration File ====
-All settings related to Content Security Policies can be found in [[https://github.com/vufind-org/vufind/blob/master/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]].
+All settings related to Content Security Policies can be found in [[https://github.com/vufind-org/vufind/blob/dev/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]].
 ==== Enforcing vs. Reporting ====
@@ Line 19: / Line 19: @@
 === Receiving Reports ===
-When in reporting mode, you can set the report-to setting in [[https://github.com/vufind-org/vufind/blob/master/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]] to send reports of violations to a URI that implements a simple API. VuFind does not currently include a built-in reporting endpoint, but several options exist, including:
+When in reporting mode, you can set the report-to setting in [[https://github.com/vufind-org/vufind/blob/dev/config/vufind/contentsecuritypolicy.ini|contentsecuritypolicy.ini]] to send reports of violations to a URI that implements a simple API. VuFind does not currently include a built-in reporting endpoint, but several options exist, including:
   * [[https://github.com/seek-oss/csp-server|seek-oss/csp-server]] - an open source, Node.js-based solution
@@ Line 32: / Line 32: @@
   * By default, VuFind is set up to be fairly permissive about which scripts it will execute; if you are not using any options that rely on external scripts, or if you can reliably eliminate the use of non-HTTPS files, you should consider applying more restrictive settings than the defaults.
   * By default, VuFind assumes that all CSS styles, images and fonts will be served up locally; if you are using any services (like Google fonts for example) or customizations that pull these resources in from third-party sites, you will need to set up more permissive settings.
-  * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should turn off report_only settings for your production site in order to improve security.
+  * Consider setting up a reporting server (see tool options listed above) so you can test whether any pages of your site are violating your CSP; once you have determined that the site is working as expected, you should change 'enable' settings from 'report_only' to 'true' for your production site in order to improve security.