Add support for Content Security Type (!3499) · Merge requests · GitLab.org / omnibus-gitlab

Stan Hu requested to merge sh-add-csp-header-support into master Aug 07, 2019

https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14975 added support for enabling the nonce-based Content-Security-Type headers, which can significantly reduce JavaScript cross-site scripting (XSS) attacks.

Currently this is not on by default because misconfiguring it could potentially break loading of JavaScript. Users can configure the report_only and report_uri values to report CSP violations before they enable it completely.

In the future, we hope to generate reasonable defaults (https://gitlab.com/gitlab-org/gitlab-ce/issues/65675) so that GitLab will be secured by default.

Edited Nov 17, 2021 by GitLab Release Tools Bot

Add support for Content Security Type

Merge request reports