Skip to content

Commit ed49820

Browse files
committed
fix(security): block unsafe inline stylesheets
Removes 'unsafe_inline' from the style_src nginx directive to prevent inline stylesheets from being loaded. See https://ghe/HMDA-Operations/hmda-devops/issues/4529 Fixes #2480
1 parent 948660e commit ed49820

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

nginx/nginx.conf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ http {
3030
"default-src 'self' blob:;
3131
script-src 'self' 'nonce-$request_id' blob: data: https://dap.digitalgov.gov https://tagmanager.google.com https://www.googletagmanager.com https://www.google-analytics.com https://*.cfpb.gov https://www.consumerfinance.gov https://*.mouseflow.com;
3232
img-src 'self' blob: data: https://www.googletagmanager.com https://www.google-analytics.com https://raw.githubusercontent.com;
33-
style-src 'self' 'unsafe-inline';
33+
style-src 'self';
3434
font-src 'self' data:;
3535
object-src 'none';
3636
frame-src 'self' https://www.youtube.com/ https://ffiec.cfpb.gov/;

0 commit comments

Comments
 (0)