Added documentation and notes about S3 content headers

2019-08-19 10:09:08 +02:00 · 2019-08-19 10:09:08 +02:00 · 1b8ca04a45
commit 1b8ca04a45
parent c71dd53ae0
5 changed files with 43 additions and 0 deletions
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@ -41,6 +41,9 @@ server {
    # HSTS
    add_header Strict-Transport-Security "max-age=31536000";

+    # If you are using S3 to host your files, remember to add your S3 URL to the
+    # media-src and img-src headers (e.g. img-src 'self' https://<your-S3-URL> data:)
+
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
    add_header Referrer-Policy "strict-origin-when-cross-origin";