From 4d24d8a3bddd64f6f7bd70cf9898e9e2924891e9 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 12 Aug 2019 20:13:49 +0200
Subject: Adding README.Debian for netdata-web wwith a note about
 Content-Security-Policy headers, thanks to Katharina Drexel
 <katharina.drexel@bfh.ch> (Closes: #931843).

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 debian/netdata-web.README.Debian | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 debian/netdata-web.README.Debian

diff --git a/debian/netdata-web.README.Debian b/debian/netdata-web.README.Debian
new file mode 100644
index 000000000..6f21e2d86
--- /dev/null
+++ b/debian/netdata-web.README.Debian
@@ -0,0 +1,20 @@
+netdata-web for Debian
+======================
+
+1. Content-Security-Policy (CSP)
+--------------------------------
+
+By default netdata uses its own embedded webserver, listening to localhost:19999
+only. When exposing netdata to the network, it is recommended for security
+reasons to use a reverse proxy in front of it, such as apache2 (see
+netdata-apache2 package).
+
+If the proxy wants to set Content-Security-Policy headers, it can use the
+following for netdata (for apache2):
+
+	Header always set Content-Security-Policy "default-src 'unsafe-inline' \
+	http://localhost:19999 https: 'self' 'unsafe-eval'; script-src \
+	'unsafe-inline' https: 'self' 'unsafe-eval'; style-src https: 'self' \
+	'unsafe-inline'"
+
+ -- Daniel Baumann <daniel.baumann@progress-linux.org>  Mon, 12 Aug 2019 20:11:00 +0200
-- 
cgit v1.2.3