From 7afdd13b64657362ce71645037bdf8b69c2069ce Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Tue, 12 Aug 2025 12:41:24 +1000 Subject: [PATCH] Update CSP config with Rails 7.0 template --- .../initializers/content_security_policy.rb | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 9a584f2850..b4e38a4788 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -1,8 +1,8 @@ # Be sure to restart your server when you modify this file. -# Define an application-wide content security policy -# For further information see the following documentation -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +# Define an application-wide content security policy. +# See the Securing Rails Applications Guide for more information: +# https://guides.rubyonrails.org/security.html#content-security-policy-header Rails.application.config.content_security_policy do |policy| policy.default_src :self, :https @@ -23,15 +23,11 @@ Rails.application.config.content_security_policy do |policy| # Specify URI for violation reports # policy.report_uri "/csp-violation-report-endpoint" + + # Generate session nonces for permitted importmap and inline scripts + # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } + # config.content_security_policy_nonce_directives = %w(script-src) + + # Report violations without enforcing the policy. + # config.content_security_policy_report_only = true end - -# If you are using UJS then enable automatic nonce generation -# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) } - -# Set the nonce only to specific directives -# Rails.application.config.content_security_policy_nonce_directives = %w(script-src) - -# Report CSP violations to a specified URI -# For further information see the following documentation: -# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only -# Rails.application.config.content_security_policy_report_only = true