How do I ‘Ensure CSP is effective against XSS attacks’ in Webflow?
My published site is getting a reduced ‘Best Practices’ score on Lighthouse for this reason.
1 Like
I’m curious about this one as well
Nothing happening here, huh?
I don’t know all of the considerations for deciding between a nonce- or hash-based CSP (a pain to make effective across browsers, refactoring HTML to remove incompatible patterns, etc.). But can we please set one as an HTTP response header to satisfy Lighthouse (and more importantly as defense against cross-site scripting).
If you want custom security headers you need to pay big bucks. It’s an Enterprise offering.
You might want to look into using Cloudflare. Content Security Policies (CSPs) and Cloudflare · Cloudflare Fundamentals docs