我想在我的React网站中包含内容安全策略。这就是我添加的索引.html头部:
<meta http-equiv="Content-Security-Policy" content="default-src 'none';
script-src 'self' 'unsafe-inline'
https://www.google-analytics.com/
https://maps.googleapis.com/
https://developers.google.com/;
img-src 'self'
https://www.google-analytics.com
https://maps.googleapis.com/
https://maps.gstatic.com/
https://developers.google.com/ data:;
style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com data:;
frame-src 'self' https://www.slideshare.net;
upgrade-insecure-requests; block-all-mixed-content;
connect-src 'self'">
我用过这个网站-
https://www.htbridge.com/websec/
检查我的网站是否安全,我仍然有“F”。问题是我有很多错误的配置,比如:X-FRAME-OPTIONS,X-XSS-PROTECTION,X-CONTENT-TYPE-OPTIONS,还有CONTENT-SECURITY-POLICY。我是做错了什么,还是应该添加更多的“设置”来确保安全?
