Content Security Policy (CSP) for *.up2share.site
Why We Enforce Content Security Policies
At Up2Share, security is a top priority. We enforce strict Content Security Policies (CSP) to protect your static websites and our platform. Here are the key reasons for implementing these limitations:
-
Prevent Cross-Site Scripting (XSS) Attacks:
- CSP helps prevent malicious scripts from being injected into your site, reducing the risk of XSS attacks.
-
Data Privacy:
- Restricting resources to trusted domains ensures that your data is only shared with known and secure sources.
-
Improved Performance:
- By allowing only trusted CDNs and services, we can ensure that resources are loaded efficiently and reliably.
-
Mitigate Other Vulnerabilities:
- CSP helps prevent various other vulnerabilities by controlling which resources can be loaded and executed on your site.
Allowed Domains and Sources
To maintain a secure environment while providing flexibility, we have curated a list of trusted external services. You can use resources (e.g., JavaScript libraries, CSS files, fonts) from the following domains:
-
Google:
https://ajax.googleapis.com(Google Libraries API)https://fonts.googleapis.com(Google Fonts)https://fonts.gstatic.com(Google Fonts)https://www.gstatic.com
-
Cloudflare:
https://cdnjs.cloudflare.com(CDN for JS libraries)
-
jsDelivr:
https://cdn.jsdelivr.net
-
Microsoft:
https://ajax.aspnetcdn.comhttps://ajax.microsoft.com
-
Bootstrap:
https://maxcdn.bootstrapcdn.comhttps://stackpath.bootstrapcdn.com
-
jQuery:
https://code.jquery.com
-
Font Awesome:
https://use.fontawesome.com
-
Unpkg:
https://unpkg.com
-
Other:
https://cdn.rawgit.comhttps://kit.fontawesome.com
Full CSP Directives
Here is a detailed list of the CSP directives and the allowed sources, including unsafe-inline for inline scripts and styles:
default-src 'self' https://ajax.googleapis.com https://fonts.googleapis.com https://fonts.gstatic.com https://www.gstatic.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://ajax.aspnetcdn.com https://ajax.microsoft.com https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://code.jquery.com https://use.fontawesome.com https://unpkg.com https://cdn.rawgit.com https://kit.fontawesome.com;
script-src 'self' 'unsafe-inline' https://ajax.googleapis.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://ajax.aspnetcdn.com https://ajax.microsoft.com https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://code.jquery.com https://use.fontawesome.com https://unpkg.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://use.fontawesome.com;
img-src 'self' data: https://*.google.com https://*.gstatic.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://use.fontawesome.com https://unpkg.com;
connect-src 'self' https://ajax.googleapis.com https://fonts.googleapis.com https://fonts.gstatic.com https://www.gstatic.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://ajax.aspnetcdn.com https://ajax.microsoft.com https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://code.jquery.com https://use.fontawesome.com https://unpkg.com;
font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://use.fontawesome.com;Requesting Additional Services
We understand that you might need to use other external services for your website. If you require support for additional domains or services, please contact us with your request. We will review and consider adding them to the list of trusted sources.
Contact Us:
- Email: support@up2sha.re
Thank you for helping us maintain a secure and efficient platform for all users.
