Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Including Content-Security-Policy in React

Tags:

html

reactjs

content-security-policy

html-meta

I want to include Content-Security-Policy to my React website. This is what I added to index.html in the head:

<meta http-equiv="Content-Security-Policy" content="default-src 'none';
      script-src 'self' 'unsafe-inline'
      https://www.google-analytics.com/
      https://maps.googleapis.com/
      https://developers.google.com/;
      img-src 'self'
      https://www.google-analytics.com
      https://maps.googleapis.com/
      https://maps.gstatic.com/
      https://developers.google.com/ data:;
      style-src 'self' https://fonts.googleapis.com 'unsafe-inline';
      font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com data:;
      frame-src 'self' https://www.slideshare.net;
      upgrade-insecure-requests; block-all-mixed-content;
      connect-src 'self'">

I used this website- https://www.htbridge.com/websec/ to check if my website is secured and I still got 'F'. The problem is that I have many misconfiguration such that: X-FRAME-OPTIONS, X-XSS-PROTECTION, X-CONTENT-TYPE-OPTIONS and also CONTENT-SECURITY-POLICY. Am I doing something wrong or should I add more 'settings' to make it secure?

like image 876
Grzegorz Brzęczyszczykiewicz Avatar asked May 18 '26 03:05

Grzegorz Brzęczyszczykiewicz

1 Answers

Content-Security-Policy is just one of the security measures to avoid some sort of attacks, and this can be used within the React index.html.

However, the other methods you mentioned (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, etc) are essentially set in the server side when receiving http(s) requests.

For instance, if the server hosting your React website is Apache, then you can add these lines in the '.htaccess' file:

# Set Strict-Transport-Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

# Set X-Frame-Options (Protect against page-framing and click-jacking)
Header always append X-Frame-Options SAMEORIGIN

# Set X-Content-Type-Options (Protect against content-sniffing)
Header set X-Content-Type-Options nosniff

# Set X-XSS-Protection (Protect against XSS attacks)
Header set X-XSS-Protection "1; mode=block"

# Set Referrer-Policy
Header set Referrer-Policy "same-origin"
like image 198
Sergi Juanati Avatar answered May 20 '26 15:05

Sergi Juanati
Sign in to Comment

Related questions

Bootstrap Is Adding Conflicting Styles To JQTree
Do server-sent events work with CORS?
weird html5 manifest reloading
Debugging Google Web Fonts
Video won't play when clicked
Custom SVG is not loading in my image tag
Is there any way to change background color of ::selection (selected text) using JavaScript?
How to change desktop-first design code to mobile-first with tailwind css (responsiveness)
How can I remove all text after the last <li> of every <ul>?
3D transform CSS3 cause text and images to be blurred
How to add a URL in the description field in Facebook by using dialog/feed javascript?
Spacebar "doesn't work" in `button` element when i use the HTML5 `contenteditable`. How can i get it to working?
Why can't add link tag for expanded html:5?
HTML5 - 2017 right way to order <tbody> and <tfoot> elements?
Assistance required with dropdown menu
How can I put this div scroll using display: table?
html email does not send in codeigniter
How to prevent page jumps when checkbox's state changes?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!