From 2eef6cd7efbb215440f1fac7d81f6319dc769cd2 Mon Sep 17 00:00:00 2001
From: Kenny <k.niehage@syseleven.de>
Date: Mon, 8 Jan 2018 10:55:46 +0100
Subject: [PATCH] improved CSP to contain form-action and experimental
 require-sri-for

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 4818171..b5b8192 100644
--- a/README.md
+++ b/README.md
@@ -68,13 +68,13 @@ server {
 
 Furthermore the following HTTP headers have to be set (Nginx example):
 ```
-add_header Content-Security-Policy   "default-src 'self'; frame-ancestors 'self'";
+add_header Content-Security-Policy   "default-src 'self'; form-action 'self'; frame-ancestors 'self'; require-sri-for script style";
 add_header Referrer-Policy           "same-origin";
 add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
-add_header X-Content-Security-Policy "default-src 'self'; frame-ancestors 'self'";
+add_header X-Content-Security-Policy "default-src 'self'; form-action 'self'; frame-ancestors 'self'; require-sri-for script style";
 add_header X-Content-Type-Options    "nosniff";
 add_header X-Frame-Options           "SAMEORIGIN";
-add_header X-Webkit-CSP              "default-src 'self'; frame-ancestors 'self'";
+add_header X-Webkit-CSP              "default-src 'self'; form-action 'self'; frame-ancestors 'self'; require-sri-for script style";
 add_header X-XSS-Protection          "1; mode=block";
 ```