Is it possible to use hashes for CSP ? #1779
Unanswered
WolfgangSn
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I would like to use content security policy ( CSP ).
So I enabled security in sftpgo.json and used google chrome to identify the correct sha256 hashes to be used for the content_security_policy variable.
This looked promissing until /web/admin/users was parsed ...
The users page contains the X-CSRF-TOKEN in one of the javascript inline functions.
As this token changes with the requests also the sha256 hash changes with every request/session.
How to deal with this ? Is the only possibility to set this to unsafe-inline then ? Or would it be possible to have a fix for this to have this part of the javascript in a separate file and not as inline script ?
best regards,
WolfgangSn
Beta Was this translation helpful? Give feedback.
All reactions