Content security policy ?

Forum for questions and support relating to the 1.30.x releases only.
Post Reply
timf
Posts: 95
Joined: Mon Mar 21, 2005 4:07 pm
Location: Lytham St.Annes Lancs.

Content security policy ?

Post by timf » Thu May 31, 2018 9:57 am

Hi,

I have V1.30.4 running nicely under Ubuntu 18.04 .

I have recently hardened the apache server to run https along with adding a number of security headers - everything still runs nice and I now get an 'A' when I test the security of the server.

I can get an A+ (highest rating) by tweaking the CSP but in doing so I can no longer log into ZM from my PC.

Here's the relevant line from my apache2.conf

Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"

I've tried dropping https, unsafe-eval and unsafe-inline in any combination and can get an A+ but then ZM login stops working.

Any suggestions about how to get an A+ security or doesn't it matter ?

Regards Tim

river100
Posts: 141
Joined: Sun Oct 07, 2007 5:52 pm
Location: Louisiana

Re: Content security policy ?

Post by river100 » Fri Apr 03, 2020 6:29 pm

I commented out the line below > Add CSP Headers line 179 in the file
logged in and it seems to be working

Is removing that going to be a problem ?

Post Reply

Who is online

Users browsing this forum: No registered users and 3 guests