Someone pointed me to https://securityheaders.io/ previously and after running my site through it, I decided to implement a whole bunch of security changes, including adding a Content-Security-Policy header.
For those not familiar with CSP, it is an effective means of combatting XSS attacks that is further described here.
To work out the right combination of CSP headers, I basically:
- Add/modify headers
- Open up Firefox and Chrome debug consoles (especially security logs)
- Reload the page
- See errors and guess at what values are needed to fix them
- Go to top of list
The Chrome security logging was more informative than that of Firefox and its CSP validation seems more thorough.
Finally, after a lot of trial and error and reading of documentation (in particular, this OWASP guide was awesome) I arrived at:
Header always set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self'; font-src 'self' data: https://fonts.gstatic.com:443; img-src 'self' data: https://secure.gravatar.com:443; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com:443"