Content security policy ?

Forum for questions and support relating to the 1.30.x releases only.
Locked
timf
Posts: 132
Joined: Mon Mar 21, 2005 4:07 pm
Location: Lytham St.Annes Lancs.

Content security policy ?

Post by timf »

Hi,

I have V1.30.4 running nicely under Ubuntu 18.04 .

I have recently hardened the apache server to run https along with adding a number of security headers - everything still runs nice and I now get an 'A' when I test the security of the server.

I can get an A+ (highest rating) by tweaking the CSP but in doing so I can no longer log into ZM from my PC.

Here's the relevant line from my apache2.conf

Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"

I've tried dropping https, unsafe-eval and unsafe-inline in any combination and can get an A+ but then ZM login stops working.

Any suggestions about how to get an A+ security or doesn't it matter ?

Regards Tim
river100
Posts: 145
Joined: Sun Oct 07, 2007 5:52 pm
Location: Louisiana

Re: Content security policy ?

Post by river100 »

I commented out the line below > Add CSP Headers line 179 in the file
logged in and it seems to be working

Is removing that going to be a problem ?
Locked