From 5a125456573ffc717592fa7b3f189f7a13db8421 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Mon, 31 Oct 2016 10:42:03 +0000
Subject: [PATCH] When ssl is enabled only allow https content within the site

---
 src/freedombone-utils-web | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web
index 80c7f5ee7..d985f03fe 100755
--- a/src/freedombone-utils-web
+++ b/src/freedombone-utils-web
@@ -134,6 +134,7 @@ function nginx_ssl {
     echo '    ssl_prefer_server_ciphers on;' >> $filename
     echo "    ssl_protocols $SSL_PROTOCOLS;" >> $filename
     echo "    ssl_ciphers '$SSL_CIPHERS';" >> $filename
+    echo "    add_header Content-Security-Policy \"default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'\";" >> $filename
     #nginx_stapling $1
 }
 
-- 
GitLab