fix(csp): refine img-src policy to improve security
Switched 'img-src' directive to only allow 'self', and removed the wildcard '*' and 'data:' source settings. This adjustment enhances security by restricting image sources to the same origin, preventing potential exploitation from arbitrary or data URLs.
This commit is contained in:
parent
c9fadaae20
commit
98a7e42c15
1 changed files with 1 additions and 0 deletions
|
@ -41,6 +41,7 @@ class CspMiddleware
|
||||||
->addDirective('font-src', ['self' => true])
|
->addDirective('font-src', ['self' => true])
|
||||||
->addDirective('style-src', ['self' => true])
|
->addDirective('style-src', ['self' => true])
|
||||||
->addDirective('manifest-src', ['self' => true])
|
->addDirective('manifest-src', ['self' => true])
|
||||||
|
->addDirective('img-src', ['self' => true])
|
||||||
->addDirective('base-uri', [])
|
->addDirective('base-uri', [])
|
||||||
->addDirective('frame-ancestors', [])
|
->addDirective('frame-ancestors', [])
|
||||||
->addSource('form-action', '*')
|
->addSource('form-action', '*')
|
||||||
|
|
Loading…
Reference in a new issue