I have a question related to Content Security Policy. On https://observatory.mozilla.org my website rated badly = F. With the following four lines of code (.htaccess), the rating changed to A+:
Header add Content-Security-Policy "default-src 'self';"
Header set X-Content-Type-Options "nosniff"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" env=HTTPS
Header always set X-FRAME-OPTIONS "DENY"
Unfortunately, the kirby backend now is no longer displayed and the following error appears 3 times:
”[Error] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.”
If I swap this line …
Header add Content-Security-Policy "default-src 'self';"
… for this one …
Header add Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline';"
… (= allowing inline code) I get this message multiple times:
[Error] Refused to load https://www.website.com/media/panel/b3a806218f035122e3a0d6319430a39f/js/vendor.js because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.website.com/media/panel/b3a806218f035122e3a0d6319430a39f/js/plugins.js because it does not appear in the script-src directive of the Content Security Policy.
[Error] Refused to load https://www.website.com/media/panel/b3a806218f035122e3a0d6319430a39f/js/index.js because it does not appear in the script-src directive of the Content Security Policy.
[...]
Long story short: What do the settings (content security policy) have to be like so that the site is secure and kirby works at the same time?
Thank you for help!
