22 lines
719 B
Ruby
22 lines
719 B
Ruby
Rails.application.configure do
|
|
config.content_security_policy do |policy|
|
|
policy.default_src :none
|
|
policy.font_src :self
|
|
policy.img_src :self
|
|
policy.object_src :self
|
|
policy.script_src :self, :unsafe_inline, :unsafe_eval
|
|
policy.style_src :self, :unsafe_inline
|
|
policy.frame_src :self, :data
|
|
policy.connect_src :self
|
|
|
|
# if Rails.env.development?
|
|
# policy.connect_src :self # LiveReload
|
|
# end
|
|
end
|
|
|
|
# Generate session nonces for permitted importmap, inline scripts, and inline styles.
|
|
config.content_security_policy_nonce_generator = -> _ { SecureRandom.hex 16 }
|
|
config.content_security_policy_nonce_directives = %w(script-src style-src)
|
|
|
|
# config.content_security_policy_report_only = true
|
|
end
|