Contents

Content Security Policy (CSP) with Hugo & CodeIT theme

Blog setup

I’m fairly new to Hugo but getting used to it and loving it isn’t that hard with generous documentation and active community.

What is Content Security Policy (CSP)

CSP1 is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. CSP can be implemented through your HTTP response header or meta tag, and you can use the default-src as fallback to source reference or go further in detailing source types like (images, media, fonts js, css etc..) and origin servers. Content Security Policy Level 2 is a Candidate Recommendation and Level 3 is a working draft

baseof.html

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
{{if .Site.IsServer}}
       {{ else }}
        <meta http-equiv="Content-Security-Policy" content="default-src
        https://blog.madi.se/ https://blog-madi-se.disqus.com/
        https://platform.twitter.com/ https://gist.github.com/
        https://links.services.disqus.com/
        https://code.jquery.com/
        https://c.disquscdn.com/
        https://disqus.com/
        https://ajax.cloudflare.com/
        https://cdn.jsdelivr.net/
        https://res.cloudinary.com/
        https://www.google-analytics.com/ ">
        <meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
        <meta http-equiv="Content-Security-Policy" content="form-action 'none'">
{{ end }}

config.toml

1
2
# which hash function used for SRI, when empty, no SRI is used ("sha256", "sha384", "sha512", "md5")
fingerprint = "sha256"

Pending

Figuring out how to fingerprint external resources listed in jsdelivr.yml / bug report submitted bug #98

Other updates

BBC Radio 4 - The News Quiz is still my favorite listen.

footnotes


  1. Mozilla/Web Technology for Developers/HTTP/ ↩︎