From 61dfbf88467a62b72cb14cc459c4808f1df84470 Mon Sep 17 00:00:00 2001 From: AlexisLeDain Date: Wed, 8 Apr 2026 22:28:46 +0200 Subject: [PATCH] fix: remove unsafe-inline from script-src in CSP example 'unsafe-inline' for script-src negates XSS protection from CSP. Removed it from the security headers example in quarkus-security and all locale copies. Kept 'unsafe-inline' for style-src only (commonly needed by CSS frameworks) with a comment recommending nonces where possible. --- docs/ja-JP/skills/quarkus-security/SKILL.md | 5 +++-- docs/tr/skills/quarkus-security/SKILL.md | 5 +++-- docs/zh-CN/skills/quarkus-security/SKILL.md | 5 +++-- skills/quarkus-security/SKILL.md | 6 ++++-- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/docs/ja-JP/skills/quarkus-security/SKILL.md b/docs/ja-JP/skills/quarkus-security/SKILL.md index 6d3248b7..8c6016db 100644 --- a/docs/ja-JP/skills/quarkus-security/SKILL.md +++ b/docs/ja-JP/skills/quarkus-security/SKILL.md @@ -333,9 +333,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter { // HSTS headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); - // CSP + // CSP — script-srcに'unsafe-inline'を使用しないでください。XSS保護が無効になります。 + // 代わりにnonceまたはhashを使用してください。 headers.putSingle("Content-Security-Policy", - "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"); + "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"); } } ``` diff --git a/docs/tr/skills/quarkus-security/SKILL.md b/docs/tr/skills/quarkus-security/SKILL.md index 67325b41..f0b46305 100644 --- a/docs/tr/skills/quarkus-security/SKILL.md +++ b/docs/tr/skills/quarkus-security/SKILL.md @@ -380,9 +380,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter { // HSTS headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); - // CSP + // CSP — script-src için 'unsafe-inline' kullanmayın, XSS korumasını etkisiz kılar; + // bunun yerine nonce veya hash kullanın headers.putSingle("Content-Security-Policy", - "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"); + "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"); } } ``` diff --git a/docs/zh-CN/skills/quarkus-security/SKILL.md b/docs/zh-CN/skills/quarkus-security/SKILL.md index ce90e424..3e48b34b 100644 --- a/docs/zh-CN/skills/quarkus-security/SKILL.md +++ b/docs/zh-CN/skills/quarkus-security/SKILL.md @@ -303,9 +303,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter { // HSTS headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); - // CSP + // CSP — script-src不要使用'unsafe-inline',会使XSS保护失效; + // 请改用nonce或hash headers.putSingle("Content-Security-Policy", - "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"); + "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"); } } ``` diff --git a/skills/quarkus-security/SKILL.md b/skills/quarkus-security/SKILL.md index b3fa9705..35b80045 100644 --- a/skills/quarkus-security/SKILL.md +++ b/skills/quarkus-security/SKILL.md @@ -380,9 +380,11 @@ public class SecurityHeadersFilter implements ContainerResponseFilter { // HSTS headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); - // CSP + // CSP — avoid 'unsafe-inline' for script-src as it negates XSS protection; + // use nonces or hashes instead. 'unsafe-inline' for style-src is acceptable + // when CSS frameworks require it, but prefer nonces where possible. headers.putSingle("Content-Security-Policy", - "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"); + "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"); } } ```