zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-12 11:13:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: remove unsafe-inline from script-src in CSP example

Browse Source 
'unsafe-inline' for script-src negates XSS protection from CSP.
Removed it from the security headers example in quarkus-security
and all locale copies. Kept 'unsafe-inline' for style-src only
(commonly needed by CSS frameworks) with a comment recommending
nonces where possible.
This commit is contained in:
AlexisLeDain
2026-04-08 22:28:46 +02:00
parent e9089cf44e
commit 61dfbf8846
4 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/tr/skills/quarkus-security/SKILL.md
View File

@@ -380,9 +380,10 @@ public class SecurityHeadersFilter implements ContainerResponseFilter {
// HSTS
headers.putSingle("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
// CSP
// CSP — script-src için 'unsafe-inline' kullanmayın, XSS korumasını etkisiz kılar;
// bunun yerine nonce veya hash kullanın
headers.putSingle("Content-Security-Policy",
"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'");
}
}
```