Improve security and privacy with strict meta tags

This commit introduces two meta tags to strengthen the application's security posture and enhance user privacy, following best practices and OWASP recommendations. - Add Content-Security-Policy (CSP) to strictly to strictly control which resources the application is allowed, mitigating the risk of code injection attacks such as Cross-Site Scripting (XSS). - Add `referrer` meta tag to prevent the users' browser from sending the page's address, or referrer, when navigating to another site, thereby enhancing user privacy.
2023-12-06 15:08:58 +01:00
parent daa6230fc9
commit ba5b29a35d
3 changed files with 31 additions and 2 deletions
--- a/src/presentation/index.html
+++ b/src/presentation/index.html
@@ -9,6 +9,21 @@
  <meta name="description"
    content="Web tool to generate scripts for enforcing privacy & security best-practices such as stopping data collection of Windows and different softwares on it." />
  <link rel="icon" href="/favicon.ico">
+
+  <!-- Security meta tags based on OWASP recommendations, see https://owasp.org/www-project-secure-headers/ci/headers_add.json -->
+  <meta
+    http-equiv="Content-Security-Policy"
+    content="
+      default-src 'self';
+      style-src 'self' 'unsafe-inline';
+      img-src 'self' data:;
+      form-action 'self';
+      object-src 'none';
+      upgrade-insecure-requests;
+      block-all-mixed-content;
+    "
+  >
+  <meta name="referrer" content="no-referrer">
 </head>

 <body>