-
Sheogorath authored
Using GitLab's own CSP generation allows the usage of proper nonces and alike, which drops the requirement for `unsafe inline` and `unsafe-eval` in the CSP. This boosts security. The current setup of this role disables the integration of recaptcha and Google Cloud for K8s intentionally as on SI-GitLab it's not used anyway. If you use this role to deploy it on your own infrastructure, the default configs should provide you with the needed rules that you put into the config of your ansible group. For upstream reference, see the configs: https://docs.gitlab.com/omnibus/settings/configuration.html#content-security-policy https://gitlab.com/gitlab-org/gitlab-foss/-/blob/12-8-stable/config/gitlab.yml.example#L53