System Information
- Strapi Version: v4
- Operating System:
- Database:
- Node Version:
- NPM Version:
- Yarn Version:
Hi, team
I added custom security policy for aws s3 bucket as this:
module.exports = [
// ...
{
name: 'strapi::security',
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
'connect-src': ["'self'", 'https:'],
'img-src': [
"'self'",
'data:',
'blob:',
'market-assets.strapi.io',
'yourBucketName.s3.yourRegion.amazonaws.com',
],
'media-src': [
"'self'",
'data:',
'blob:',
'market-assets.strapi.io',
'yourBucketName.s3.yourRegion.amazonaws.com',
],
upgradeInsecureRequests: null,
},
},
},
},
// ...
]
But I see these detail configs in the respose header:
< content-security-policy: connect-src 'self' https:;img-src 'self' data: blob: market-assets.strapi.io https://mydomain.com;media-src 'self' data: blob: market-assets.strapi.io https://mydomain.com;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'
Is this expected? And is this safe to expose this to public?