I'm currently trying to secure an Angular website with security headers in IIS. So far most of the header work without any error, but I'm stuck with the content-security-policy header.
I ended up using values like 'unsafe-inline' and 'unsafe-eval' etc, from which i understand is not really ideal.
Is there a default stringent CSP header that can be used and relaxed until no more errors appear with an angular site or any suggestions on a best-practice on how use it with an angular site?
I found that the following content security policy worked with my angular site:
connect-src 'self';
default-src 'self';
object-src 'none';
script-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
worker-src 'none';
font-src 'self' 'unsafe-inline' data:;
img-src 'self' data:;