owenbendavies · owenbendavies · Oct 5, 2015 · Oct 5, 2015
diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb
@@ -4,8 +4,11 @@
   config.x_xss_protection = { value: 1, mode: 'block' }
 
   config.csp = {
-    default_src: "'self' https:",
     enforce: true,
+    default_src: "'none'",
+    connect_src: "'self'",
+    font_src: "'self' https:",
+    img_src: "'self' https: data:",
     script_src: "'self' https: 'unsafe-inline'",
     style_src: "'self' https: 'unsafe-inline'"
   }

diff --git a/spec/features/application/cross_site_policy_spec.rb b/spec/features/application/cross_site_policy_spec.rb
@@ -5,7 +5,9 @@
     visit_200_page '/home'
 
     expect(response_headers['Content-Security-Policy']).to eq [
-      "default-src 'self' https:",
+      "default-src 'none'",
+      "connect-src 'self'",
+      "font-src 'self' https:",
       "img-src 'self' https: data:",
       "script-src 'self' https: 'unsafe-inline'",
       "style-src 'self' https: 'unsafe-inline'"