deepState/tabi-lean
3
0
Fork 0
forked from deepStateMirrors/tabi
Code Issues 1 Pull requests Activity

feat: allow disabling CSP, following the hierarchy

Browse source 
Introduces new option `enable_csp`, true by default.
Can be set on a page, section or globally.
This commit is contained in:
welpo 2024-03-15 15:04:37 +01:00
parent 8537bbc10e
commit 5e0cbdd67d
No known key found for this signature in database
GPG key ID: A2F978CF4EC1F5A6
10 changed files with 30 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
content/blog/security/index.md
View file

@ -1,7 +1,7 @@
+++
title = "Secure by default"
date = 2023-02-22
updated = 2023-09-29
updated = 2024-03-15
description = "tabi has an easily customizable Content Security Policy (CSP) with safe defaults. Get peace of mind and an A+ on Mozilla Observatory."
[taxonomies]
@ -30,6 +30,8 @@ The `allowed_domains` list specifies the URLs that the website should be able to
This feature allows you to easily customize the website's security headers to allow for specific use cases, such as embedding YouTube videos, loading scripts or remote fonts ([not recommended](https://www.albertovarela.net/blog/2022/11/stop-using-google-fonts/)).
You can disable the CSP (allowing all connections) on a page, section, or globally by setting `enable_csp = false` in the front matter or `config.toml` file.
**Note**: [enabling comments](@/blog/comments/index.md) or [analytics](@/blog/mastering-tabi-settings/index.md#analytics) automatically allows scripts/frames/styles/connections as needed from the respective services.
[^1]: Requires proper webserver configuration (e.g. redirecting HTTP traffic to HTTPS).