diff options
author | Jelle van der Waa <jelle@archlinux.org> | 2019-03-17 17:52:26 +0100 |
---|---|---|
committer | Jelle van der Waa <jelle@archlinux.org> | 2019-03-17 17:52:26 +0100 |
commit | f829a33ea72429382ba11a856fe6b6c8955002eb (patch) | |
tree | b31046a9699ccf1c8d804d5e69a7b800b8b2f100 | |
parent | 7fb496f3b221c973ee79aa20dec09159f98ab2a5 (diff) | |
download | archweb-f829a33ea72429382ba11a856fe6b6c8955002eb.tar.gz archweb-f829a33ea72429382ba11a856fe6b6c8955002eb.zip |
settings: Add CSP FORM_ACTION header
Add the content security policy for <form> posts to only allow posts to
the origin form which it's served. This disallows posting forms to a
third party if a browser supports this directive.
-rw-r--r-- | settings.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/settings.py b/settings.py index 8d06b326..682b9ffd 100644 --- a/settings.py +++ b/settings.py @@ -99,6 +99,7 @@ CSP_SCRIPT_SRC = ("'self'",) CSP_INCLUDE_NONCE_IN = ['script-src'] CSP_IMG_SRC = ("'self'", 'data:',) CSP_BASE_URI = ("'none'",) +CSP_FORM_ACTION = ("'self'",) CSP_FRAME_ANCESTORS = ("'none'",) # Use new test runner |