Security

CSP XSS Prevention

<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'"
</IfModule>

with strictly CSP rule <a href="javascript:void(null)>does not click</a>

consider to use <a href="#0">will work</a> or use the unobtrusive version

To allow(that's not good) inline-scripts 'unsafe-inline'

Allow(that's not good) 'unsafe-eval'

execute,setFunction,domResponse,call

CSP disallow eval: methods they not work

Reference: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src https://wiki.selfhtml.org/wiki/Sicherheit/Content_Security_Policy https://siwecos.de/wiki/Content-Security-Policy-Schwachstelle/DE