From 98a7e42c15b731f97798abbcadfd2a42ed480744 Mon Sep 17 00:00:00 2001 From: Kumi Date: Sun, 21 Jul 2024 11:44:19 +0200 Subject: [PATCH] fix(csp): refine img-src policy to improve security Switched 'img-src' directive to only allow 'self', and removed the wildcard '*' and 'data:' source settings. This adjustment enhances security by restricting image sources to the same origin, preventing potential exploitation from arbitrary or data URLs. --- classes/Middleware/CspMiddleware.php | 1 + 1 file changed, 1 insertion(+) diff --git a/classes/Middleware/CspMiddleware.php b/classes/Middleware/CspMiddleware.php index 859162a..3ec5d6a 100644 --- a/classes/Middleware/CspMiddleware.php +++ b/classes/Middleware/CspMiddleware.php @@ -41,6 +41,7 @@ class CspMiddleware ->addDirective('font-src', ['self' => true]) ->addDirective('style-src', ['self' => true]) ->addDirective('manifest-src', ['self' => true]) + ->addDirective('img-src', ['self' => true]) ->addDirective('base-uri', []) ->addDirective('frame-ancestors', []) ->addSource('form-action', '*')