Improve config of CSP headers.

2025-09-04 11:48:05 +00:00 · 2020-01-11 05:28:20 +01:00
parent 97dffaa8a9
commit c55bfc0b8c
3 changed files with 45 additions and 18 deletions
--- a/.env.example
+++ b/.env.example
@@ -161,9 +161,16 @@ WINDOWS_SSO_KEY=AUTH_USER
 ADLDAP_SYNC_FIELD=userprincipalname

 # You can disable the X-Frame-Options header if it interferes with tools like
-# Organizr. This is at your own risk.
+# Organizr. This is at your own risk. Applications running in frames run the risk
+# of leaking information to their parent frame.
 DISABLE_FRAME_HEADER=false

+# You can disable the Content Security Policy header when you're using an ancient browser
+# or any version of Microsoft Edge / Internet Explorer (which amounts to the same thing really)
+# This leaves you with the risk of not being able to stop XSS bugs should they ever surface.
+# This is at your own risk.
+DISABLE_CSP_HEADER=false
+
 # You can fine tune the start-up of a Docker container by editing these environment variables.
 # Use this at your own risk. Disabling certain checks and features may result in lost of inconsistent data.
 # However if you know what you're doing you can significantly speed up container start times.