Improve default Content-Security-Policy value (#224)

See h5bp/server-configs-apache#181

h5bp/security/content-security-policy.conf

@@ -8,16 +8,21 @@
 # This can be done by setting a `Content Security Policy` which
 # whitelists trusted sources of content for your website.
 #
-# The example header below allows ONLY scripts that are loaded from
-# the current website's origin (no inline scripts, no CDN, etc).
-# That almost certainly won't work as-is for your website!
+# There is no policy that fits all websites, you will have to modify
+# the `Content-Security-Policy` directives in the example depending
+# on your needs.
 #
-# To make things easier, you can use an online CSP header generator
-# such as: https://www.cspisawesome.com/.
+# To make your CSP implementation easier, you can use an online CSP header
+# generator such as:
+# https://report-uri.com/home/generate/
 #
+# It is encouraged that you validate your CSP header using a CSP validator
+# such as:
+# https://csp-evaluator.withgoogle.com
+#
+# https://csp.withgoogle.com/docs/
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-# https://www.w3.org/TR/CSP3/
-# https://content-security-policy.com/
 # https://www.html5rocks.com/en/tutorials/security/content-security-policy/
+# https://www.w3.org/TR/CSP/
 
 add_header Content-Security-Policy $content_security_policy always;

nginx.conf

@@ -112,7 +112,7 @@ http {
   # Add Content-Security-Policy for HTML documents.
   # h5bp/security/content-security-policy.conf
   map $sent_http_content_type $content_security_policy {
-    ~*text/html "script-src 'self'; object-src 'self'";
+    ~*text/html "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
   }
 
   # Add Referrer-Policy for HTML documents.