Skip to content

Instantly share code, notes, and snippets.

@ThomasLeister
Last active February 20, 2023 03:16
Show Gist options
  • Save ThomasLeister/4dd9394e72e1f9bc2e1d8125bc02e0ab to your computer and use it in GitHub Desktop.
Save ThomasLeister/4dd9394e72e1f9bc2e1d8125bc02e0ab to your computer and use it in GitHub Desktop.
CSP header for Mastodon social network
(Assuming metalhead.club as instance domain - please adapt to your instance!)
add_header Content-Security-Policy "default-src 'none'; script-src https: 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:; media-src 'self' data:; frame-src 'self' https:; font-src 'self' data:; connect-src 'self' wss://metalhead.club";
Note:
style-src: I chose 'unsafe-inline' because there are just too many inline styles in static source code or dynamically
generated code to cover all cases (Embed dialog, image lightbox, ...). Also styles seem to be dynamic, so
hashes cannot be generated to allow certain inline styles. :-(
@Justinzobel
Copy link

Any update to this as I tried it and I got a large error in the Firefox console?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment