diff options
| -rw-r--r-- | docs/en/admins/10_ServerConfig.md | 8 | ||||
| -rw-r--r-- | p/scripts/main.js | 2 |
2 files changed, 6 insertions, 4 deletions
diff --git a/docs/en/admins/10_ServerConfig.md b/docs/en/admins/10_ServerConfig.md index c907221ea..84dccd272 100644 --- a/docs/en/admins/10_ServerConfig.md +++ b/docs/en/admins/10_ServerConfig.md @@ -115,18 +115,18 @@ server { ## Security -Avoid overwriting the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) header with directives such as `more_set_headers "Content-Security-Policy: ..."` +Avoid overwriting the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) header with directives such as `more_set_headers "Content-Security-Policy: ..."` or `add_header 'Content-Security-Policy' '...'`. ✅ Example of good CSP: `default-src 'self'; frame-ancestors 'self'` ❌ Bad CSP: `upgrade-insecure-requests` -Debug CSP header: +Debug your own CSP header: * With DevTools network tab: press F12 * [CSP Evaluator](https://csp-evaluator.withgoogle.com/) -If you're aware of the risks and want to ignore the warning shown to admin users, change the `suppress_csp_warning` setting to `true` in `./data/config.php` +If you’re aware of the risks and want to ignore the warning shown to admin users, change the `suppress_csp_warning` setting to `true` in `./data/config.php`. -Note that FreshRSS already ships with a secure CSP configuration, therefore it's not necessary to make any adjustments to CSP unless you're writing an extension. +Note that FreshRSS already ships with a secure CSP configuration, therefore it’s not necessary to make any adjustments to CSP unless you’re writing an extension. For that, look into the [`Minz_ActionController::_csp`](https://github.com/FreshRSS/FreshRSS/blob/d9197d7e32a97f29829ffd4cf4371b1853e51fa2/lib/Minz/ActionController.php#L76-L96) function and use it in individual actions. diff --git a/p/scripts/main.js b/p/scripts/main.js index 3b47beb84..80fbd71fc 100644 --- a/p/scripts/main.js +++ b/p/scripts/main.js @@ -2327,6 +2327,8 @@ function init_csp_alert() { Function(); } catch (_) { // Exit if 'script-src' is set and 'unsafe-eval' isn't set in CSP + console.info(`If you see a 'unsafe-eval' warning, everything is working as intended: +see https://freshrss.github.io/FreshRSS/en/admins/10_ServerConfig.html#security`); return; } |