Merge pull request #62 from pdgonzalez872/pg-add-example-docs

Add docs with a solution on how to solve the check
nccgroup · Apr 8, 2020 · 52531c5 · 52531c5
2 parents b478d0b + a4d8f3b
commit 52531c5
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/lib/sobelow/config/csp.ex b/lib/sobelow/config/csp.ex
@@ -13,6 +13,12 @@ defmodule Sobelow.Config.CSP do
   but does not provide a Content-Security-Policy header in the
   custom headers map.
 
+  When it comes to CSP, just about any policy is better than none.
+  If you are unsure about which policy to use, the following
+  mitigates most typical XSS vectors:
+
+  `plug :put_secure_browser_headers, %{"content-security-policy" => "default-src 'self'"}`
+
   Documentation on the `put_secure_browser_headers` plug function
   can be found here:
   https://hexdocs.pm/phoenix/Phoenix.Controller.html#put_secure_browser_headers/2