Content security policy ?
Posted: Thu May 31, 2018 9:57 am
Hi,
I have V1.30.4 running nicely under Ubuntu 18.04 .
I have recently hardened the apache server to run https along with adding a number of security headers - everything still runs nice and I now get an 'A' when I test the security of the server.
I can get an A+ (highest rating) by tweaking the CSP but in doing so I can no longer log into ZM from my PC.
Here's the relevant line from my apache2.conf
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
I've tried dropping https, unsafe-eval and unsafe-inline in any combination and can get an A+ but then ZM login stops working.
Any suggestions about how to get an A+ security or doesn't it matter ?
Regards Tim
I have V1.30.4 running nicely under Ubuntu 18.04 .
I have recently hardened the apache server to run https along with adding a number of security headers - everything still runs nice and I now get an 'A' when I test the security of the server.
I can get an A+ (highest rating) by tweaking the CSP but in doing so I can no longer log into ZM from my PC.
Here's the relevant line from my apache2.conf
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
I've tried dropping https, unsafe-eval and unsafe-inline in any combination and can get an A+ but then ZM login stops working.
Any suggestions about how to get an A+ security or doesn't it matter ?
Regards Tim