Add support for Content Security Type
https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14975 added
support for enabling the nonce-based Content-Security-Type
headers,
which can significantly reduce JavaScript cross-site scripting (XSS)
attacks.
Currently this is not on by default because misconfiguring it
could potentially break loading of JavaScript. Users can configure
the report_only
and report_uri
values to report CSP violations
before they enable it completely.
In the future, we hope to generate reasonable defaults (https://gitlab.com/gitlab-org/gitlab-ce/issues/65675) so that GitLab will be secured by default.
Edited by GitLab Release Tools Bot