📝 fix: clarify requirements for A+ Observatory score

2 years ago · 65a3fcebba
parent 1b5ed1546a
commit 65a3fcebba
1 changed files with 3 additions and 1 deletions
--- a/content/blog/security.md
+++ b/content/blog/security.md
@ -8,7 +8,7 @@ description = "tabi has an easily customizable Content Security Policy (CSP) wit
 tags = ["security", "showcase"]
 +++

-The default configuration of the theme gets an A+ score on [Mozilla Observatory](https://observatory.mozilla.org).
+The default configuration of the theme gets an A+ score on [Mozilla Observatory](https://observatory.mozilla.org).[^1]

 This is accomplished by programatically configuring Content Security Policy (CSP) headers based on a user-defined list of allowed domains in the theme's `config.toml` file. Here's the default and recommended setup (you could remove the last directive if you don't want to embed videos):

@ -25,3 +25,5 @@ allowed_domains = [
 The allowed_domains list specifies the URLs that the website should be able to connect to, and each domain in the list is associated with a CSP directive such as `frame-src`, `connect-src`, or `script-src`. The `templates/partials/header.html` file dynamically generates the CSP header based on this list.

 This feature allows you to easily customize the website's security headers to allow for specific use cases, such as embedding YouTube videos, loading remote fonts ([not recommended](https://www.albertovarela.net/blog/2022/11/stop-using-google-fonts/)) or scripts.
+
+[^1]: Requires proper webserver configuration (e.g. redirecting HTTP traffic to HTTPS).