I want to keep my shiny applications secure and reduce the risk of cross-site-scripting, and other code injection attacks.
I understand that defining a strict CSP can mitigate such risks; however, it also breaks the functionality of shiny.
I tried using a CSP header of
script-src 'self';but it breaks shiny's functionality. Using
script-src 'self' 'unsafe-inline' 'unsafe-eval'; works, but from what I read, I presume it is too vulnerable.
What would be a reasonable CSP that actually works?
I'm using shiny server (open source) v188.8.131.523, and Nginx/1.14.0.