summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJelle van der Waa <jelle@archlinux.org>2019-03-17 17:52:26 +0100
committerJelle van der Waa <jelle@archlinux.org>2019-03-17 17:52:26 +0100
commitf829a33ea72429382ba11a856fe6b6c8955002eb (patch)
treeb31046a9699ccf1c8d804d5e69a7b800b8b2f100
parent7fb496f3b221c973ee79aa20dec09159f98ab2a5 (diff)
downloadarchweb-f829a33ea72429382ba11a856fe6b6c8955002eb.tar.gz
archweb-f829a33ea72429382ba11a856fe6b6c8955002eb.zip
settings: Add CSP FORM_ACTION header
Add the content security policy for <form> posts to only allow posts to the origin form which it's served. This disallows posting forms to a third party if a browser supports this directive.
-rw-r--r--settings.py1
1 files changed, 1 insertions, 0 deletions
diff --git a/settings.py b/settings.py
index 8d06b326..682b9ffd 100644
--- a/settings.py
+++ b/settings.py
@@ -99,6 +99,7 @@ CSP_SCRIPT_SRC = ("'self'",)
CSP_INCLUDE_NONCE_IN = ['script-src']
CSP_IMG_SRC = ("'self'", 'data:',)
CSP_BASE_URI = ("'none'",)
+CSP_FORM_ACTION = ("'self'",)
CSP_FRAME_ANCESTORS = ("'none'",)
# Use new test runner