add CSP info for Discourse 2.2

add CSP info for Discourse 2.2
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 27d4fef..190282f 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -27,6 +27,8 @@ There are 2 main scenarios we protect against:
 
 2. **Markdown displayed on the page invokes an XSS.** To protect against client side preview XSS, Discourse uses [Google Caja](https://developers.google.com/caja/) in the preview window.
 
+3. [**CSP is on by default** for all Discourse installations](https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243) as of Discourse 2.2. It can be switched off in the site settings, but it is default on.
+
 On the server side we run a whitelist based sanitizer, implemented using the [Sanitize gem](https://github.com/rgrove/sanitize). See the [relevant Discourse code](https://github.com/discourse/discourse/blob/master/lib/pretty_text.rb).
 
 In addition, titles and all other places where non-admins can enter code are protected either using the Handlebars library or standard Rails XSS protection.

GitHub
sha: 358fbeba

1 Like