In Pode v2.6.0 support was added for HTTP security headers to be automatically added to requests, such as: Access Control, Cross-Origin, Content Security Policy, and more.
Pode.Web uses this feature to automatically set some default headers on requests, to make your site more secure.
To set which security type to use, you can optionally specify a type via the
-Security parameter on
Use-PodeWebTemplates. The valid values are: None, Default, Simple, and Strict.
Use-PodeWebTemplates -Title 'Test' -Theme Dark -Security Simple
In the case of the Default, Simple and Strict types: Pode.Web uses the inbuilt security types within Pode (simple for default), and adds some extra essential default Content Security Policy rules to allow Pode.Web to function:
* script-src: self, unsafe-inline * style-src: self, unsafe-inline * image-src: self, data
This type is pretty self-explanatory, if specified Pode.Web will call
Remove-PodeSecurity to remove all security headers.
This type is the default that Pode.Web uses when no
-Security is supplied. Under the hood this type uses the Simple security type within Pode, plus some extras:
- The default-src, script-src, style-src, and media-src for Content Security Policy are extended with
https, to allow content to be retrieved externally
- The Cross-Origin headers are removed
- The essentials above
This is just the Simple security type within Pode, plus the essentials mentioned above.
This is just the Strict security type within Pode, plus the essentials mentioned above.
Content Not Loading
If you're using the Simple or Strict types, and you find that media isn't loading, then you likely need to add extra Content Security Policy rules. In the Default type, http/https is added to prevent this from occurring, so the same should work also:
Add-PodeSecurityContentSecurityPolicy ` -Default 'http', 'https' ` -Style 'http', 'https' ` -Scripts 'http', 'https' ` -Image 'http', 'https'
However, if you want to control it more granularly, then you'll need to specify the URLs for media appropriately. For example, if you were loading audio from
https://samplelib.com then you'd need to add:
Add-PodeSecurityContentSecurityPolicy -Media 'https://samplelib.com'
The same also applies to styles and scripts as well.
If you need to enable HSTS for your site, you can do so vua supplying the
-UseHSTS switch on
Using securityheaders.com on a Pode.Web site hosted publicly with the
-Security set as Default, an A rating is achieved: