Content Security Policy CSP

[perseas]

Hello there,

I decided to use the CSP below on my elxis site (Version 4.5) with SSL certificate

default-src 'none'; script-src 'self' www.google-analytics.com ajax.googleapis.com; connect-src 'self'; img-src 'self'; style-src 'self'; https: data;

Can i write this direckly in the text field of Content Security Policy CSP (Control panel > Settings > Security > Content Security Policy CSP)

 or i must write something else?

Can you advise me ?

Best regards

[datahell]

Yes. What ever you write there it will be applied by Elxis to the "Content-Security-Policy" http header. You can read more about CSP here.

Please note that by using CSP you might have issues with external loaded javascript, css and image files. Make sure the js/css/image files your site is using are inside the script-src/style-src/img-src properties. Elxis does not uses external sources and so you have nothing to fear from Elxis. If any problem arise it will be by your own http code. Using CSP is recommended, go ahead!

[perseas]

Many Thanks for your information, Datahell !

[datahell]

Something I forgot to tell you is that you will face problems in pages with inline css/js... So be careful.

[perseas]

I will try on a test site first. I know that is very risky to use it.