Currently it’s impossible to turn off ‘unsafe-inline’ in your Content-Security-Policy header, since ghost_head outputs an inline script tag. Hence, it’s impossible to achieve the highest grade on https://securityheaders.com/ for instance…
The script that’s currently output by {{ghost_head}} is for initialising the v0.1 api - which has been deprecated, as far as I know in Ghost v3 we will remove it completely 
However, if you’re not using the v0.1 api - you should be able to switch it off in labs, and the script will be removed 
@naz Might be able to confirm this?
2 Likes
@osirisguitar which script exactly is preventing from turning off unsafe-inline? But assuming @egg is right about the script injected by API v0.1, moving to API v2 or disabling API v0.1 should remove it and the problem will be solved 
Turned off the old API in labs and the script tag is gone. Thanks for your help!
Turned off ‘unsafe-inline’ and got an A+ on my header report card now :-D
2 Likes
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.