Content Security Policy 报告与子资源完整性(SRI)实践

CSP 头部（含报告）： ``` Content-Security-Policy: default-src 'self'; img-src 'self' https: data:; script-src 'self' https: 'nonce-abc123'; style-src 'self' https: 'unsafe-inline'; connect-src 'self' https:; report-uri https://report.example.com/csp ``` 使用 Report-To 与 CSP 报告： ``` Report-To: {"group":"csp","max_age":10800,"endpoints":[{"url":"https://report.example.com/reports"}]} Content-Security-Policy: default-src 'self'; report-to csp ``` 页面内 nonce 与 SRI 示例： ``` ``` Nginx 设置 CSP 与报告： ``` add_header Content-Security-Policy "default-src 'self'; script-src 'self' https: 'nonce-abc123'; report-uri https://report.example.com/csp" always; add_header Report-To '{"group":"csp","max_age":10800,"endpoints":[{"url":"https://report.example.com/reports"}]}' always; ```