Moodle 3.7, Ubuntu 16:04
I am a little confused as to what to include in the content security policy for the server, which only really manages Moodle sites. I have tried a few rules but am somehow blocking some or other functions which we need to allow. Does anyone have any suitable examples of rules that work with Moodle to allow the full functionality within moodle but to protect against XSS or other attack vectors?
I've seen the CSP plugin - not sure if this is going to do what we need or whether to enter the CSP in the vhost file - the latter seems more likely to protect the domain than the plugin, but I've not got enough experience to actually know what I'm talking about there ;)
The server is running SSL, at the moment the database and web code are on the same box, but in future we are likely to split those out to separate boxes. Any help would be great!
Security and privacy
Content Security Policy
This discussion has been locked so you can no longer reply to it.