My Application had the privilege of being PEN-tested.
One thing they found and marked as a medium thread was that the csp header in the kirby panel is not sufficient and needs more keywords.
Is it possible to modify the header, which is set here kirby/src/Panel/Document.php at 0f916becac8a2bc824a72cdb70066ed56b50c0f4 · getkirby/kirby · GitHub ?
I tried using route after and before hooks but the Content-Security-Policy gets overriden for these requests. (I can set other headers like “X-Test: Hello“).
I am also not sure i even need further keywords from a security point of view, maybe anyone has insights on this?
Any guidance is greatly appreciated!
