| 1 | # Be sure to restart your server when you modify this file. |
| 2 | |
| 3 | # Define an application-wide content security policy. |
| 4 | # See the Securing Rails Applications Guide for more information: |
| 5 | # https://guides.rubyonrails.org/security.html#content-security-policy-header |
| 6 | |
| 7 | # Rails.application.configure do |
| 8 | # config.content_security_policy do |policy| |
| 9 | # policy.default_src :self, :https |
| 10 | # policy.font_src :self, :https, :data |
| 11 | # policy.img_src :self, :https, :data |
| 12 | # policy.object_src :none |
| 13 | # policy.script_src :self, :https |
| 14 | # policy.style_src :self, :https |
| 15 | # # Specify URI for violation reports |
| 16 | # # policy.report_uri "/csp-violation-report-endpoint" |
| 17 | # end |
| 18 | # |
| 19 | # # Generate session nonces for permitted importmap, inline scripts, and inline styles. |
| 20 | # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } |
| 21 | # config.content_security_policy_nonce_directives = %w(script-src style-src) |
| 22 | # |
| 23 | # # Automatically add `nonce` to `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag` |
| 24 | # # if the corresponding directives are specified in `content_security_policy_nonce_directives`. |
| 25 | # # config.content_security_policy_nonce_auto = true |
| 26 | # |
| 27 | # # Report violations without enforcing the policy. |
| 28 | # # config.content_security_policy_report_only = true |
| 29 | # end |