zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-07-25 20:18:38 +02:00
Code Issues Projects Releases Packages Wiki Activity

Change CSP to a WARN to make this test pass

Browse source
This commit is contained in:
Neil Martinsen-Burrell 2022-10-05 14:55:25 -05:00
parent a43f95ada7
commit 09bf50f6a5
No known key found for this signature in database
GPG key ID: 6A3C818CC10D0184
2 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/registrar/config/settings.py
View file

@ -240,6 +240,12 @@ SERVER_EMAIL = "root@get.gov"
# as Host header may contain a proxy rather than the actual client
USE_X_FORWARDED_HOST = True
# Content-security policy header configuration
CSP_DEFAULT_SRC = ["'none'"]
CSP_STYLE_SRC = ["'self'"]
CSP_SCRIPT_SRC = ["'self'"]
CSP_IMG_SRC = ["'self'"]
# endregion
# region: Internationalisation----------------------------------------------###

2
src/zap.conf
View file

@ -28,7 +28,7 @@
10035 FAIL (Strict-Transport-Security Header - Passive/beta)
10036 WARN (HTTP Server Response Header - Passive/beta)
10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038 FAIL (Content Security Policy (CSP) Header Not Set - Passive/beta)
10038 WARN (Content Security Policy (CSP) Header Not Set - Passive/beta)
10039 WARN (X-Backend-Server Header Information Leak - Passive/beta)
10040 FAIL (Secure Pages Include Mixed Content - Passive/release)
10041 WARN (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)