Secure by default(reprinted)
The default configuration of the theme gets an A+ score on Mozilla Observatory.[1]
This is accomplished by programatically configuring Content Security Policy (CSP) headers based on a user-defined list of allowed domains in the config.toml
file. Here’s the default and recommended setup (you could remove the last directive if you don’t want to embed YouTube videos):
[]
= [
{ = "font-src", = ["'self'", "data:"] },
{ = "img-src", = ["'self'", "https://*", "data:"] },
{ = "script-src", = ["'self'"] },
{ = "style-src", = ["'self'"] },
{ = "frame-src", = ["https://www.youtube-nocookie.com"] },
]
The allowed_domains
list specifies the URLs that the website should be able to connect to, and each domain in the list is associated with a CSP directive such as frame-src
, connect-src
, or script-src
. The templates/partials/header.html
file dynamically generates the CSP header based on this list.
This feature allows you to easily customize the website’s security headers to allow for specific use cases, such as embedding YouTube videos, loading scripts or remote fonts (not recommended).
You can disable the CSP (allowing all connections) on a page, section, or globally by setting enable_csp = false
in the front matter or config.toml
file.
Notes:
Enabling comments or analytics automatically allows scripts/frames/styles/connections as needed from the respective services.
To use a Zola built-in syntax highlighting theme, you need to allow
unsafe-inline
in thestyle-src
directive:{ directive = "style-src", domains = ["'self'", "'unsafe-inline'"] },
Requires proper webserver configuration (e.g. redirecting HTTP traffic to HTTPS). ↩