aboutsummaryrefslogtreecommitdiff
path: root/docs/en/admins/10_ServerConfig.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/en/admins/10_ServerConfig.md')
-rw-r--r--docs/en/admins/10_ServerConfig.md4
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/en/admins/10_ServerConfig.md b/docs/en/admins/10_ServerConfig.md
index 54f4f0fb4..c907221ea 100644
--- a/docs/en/admins/10_ServerConfig.md
+++ b/docs/en/admins/10_ServerConfig.md
@@ -116,9 +116,9 @@ server {
## Security
Avoid overwriting the [`Content-Security-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP) header with directives such as `more_set_headers "Content-Security-Policy: ..."`
-This will likely make your FreshRSS instance vulnerable to event handler XSS attacks, since FreshRSS does not yet blacklist all event attributes.
-✅ Example of good CSP: `default-src 'self' frame-ancestors 'self'`
+✅ Example of good CSP: `default-src 'self'; frame-ancestors 'self'`
+
❌ Bad CSP: `upgrade-insecure-requests`
Debug CSP header:
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 09:06:47 +0000