add csp rules

crazyguitar · Sep 13, 2018 · 02348c3 · 02348c3
1 parent a57b63f
commit 02348c3
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/app.py b/app.py
@@ -21,7 +21,18 @@ def find_key(token):
             return os.environ.get("ACME_KEY_{}".format(n))
 
 
-csp = {"default-src": ["*", "'unsafe-inline'", "'unsafe-eval'"]}
+csp = {
+    "default-src": ["'self'", "github.com", "*.readthedocs.org"],
+    "style-src": ["'self'", "unsafe-inline", "'unsafe-inline'"],
+    "script-src": [
+        "'self'",
+        "*.cloudflare.com",
+        "'unsafe-inline'",
+        "'unsafe-eval'",
+    ],
+    "img-src": "*",
+    "frame-src": "ghbtns.com",
+}
 app = Flask(__name__)
 app.config["SECRET_KEY"] = os.urandom(16)
 csrf = SeaSurf(app)