Permalink
Browse files

Merge pull request #412 from malin-as/build

About Content Security Policy settings and CDNs
  • Loading branch information...
marionschleifer committed Nov 4, 2017
2 parents c5d641e + 7b289c9 commit c51d7286aba502ad06d30b9e5dc9ec75a54eb713
Showing with 19 additions and 0 deletions.
  1. +19 −0 source/guides/1.1/assets/content-delivery-network.md
@@ -69,6 +69,25 @@ The output will be:
<script integrity="sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=" src="https://code.jquery.com/jquery-3.1.0.min.js" type="text/javascript" crossorigin="anonymous"></script>
```

### Content Security Policy (CSP)

By default, Hanami sets a Content-Security-Policy header which does not allow for the execution of external JavaScript code.

Let's say we want to use [Bootstrap](https://getbootstrap.com/) in our `web` application, we have to explicitly allow for the use of the relevant CDNs in `app/web/application.rb` by appending them in the `script-src` field:

```ruby
security.content_security_policy %{
script-src 'self' \
https://code.jquery.com \
https://cdnjs.cloudflare.com \
https://maxcdn.bootstrapcdn.com;
}
```

Read more about the CSP header in the [security guide](/guides/1.1/projects/security/#content-security-policy).

### Local Assets

The security problem described above doesn't concern only CDNs, but local files too.

0 comments on commit c51d728

Please sign in to comment.