huubl · pull · Apr 12, 2025 · Apr 12, 2025 · Apr 12, 2025
diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml
@@ -49,6 +49,9 @@ project_current_path: "{{ project.current_path | default('current') }}"
 # Whether to run `wp core update-db` at end of each deploy
 update_db_on_deploy: true
 
+# Whether to flush rewrite rules at end of each deploy
+flush_rewrite_rules_on_deploy: true
+
 # Most scripts are used in development instead of remote servers. Use with caution.
 composer_no_scripts: true
 # Whether to run `composer check-platform-reqs`.

diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml
@@ -31,6 +31,12 @@
       chdir: "{{ deploy_helper.current_path }}"
     when: project.update_db_on_deploy | default(update_db_on_deploy)
 
+  - name: Flush rewrite rules
+    command: wp rewrite flush
+    args:
+      chdir: "{{ deploy_helper.current_path }}"
+    when: project.flush_rewrite_rules_on_deploy | default(flush_rewrite_rules_on_deploy)
+
   when: wp_installed.rc == 0
 
 - name: Reload php-fpm

diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf
@@ -10,8 +10,27 @@ add_header X-Content-Type-Options nosniff always;
 # The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
 add_header X-XSS-Protection "1; mode=block" always;
 
-# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
-# you can tell the browser that it can only download content from the domains you explicitly allow
-# CSP can be quite difficult to configure, and cause real issues if you get it wrong
-# There is website that helps you generate a policy here http://cspisawesome.com/
+# Mitigate the risk of cross-site scripting and other content-injection
+# attacks.
+#
+# This can be done by setting a Content Security Policy which permits
+# trusted sources of content for your website.
+#
+# There is no policy that fits all websites, you will have to modify the
+# `Content-Security-Policy` directives in the example depending on your needs.
+#
+# To make your CSP implementation easier, you can use an online CSP header
+# generator such as:
+# https://report-uri.com/home/generate/
+#
+# It is encouraged that you validate your CSP header using a CSP validator
+# such as:
+# https://csp-evaluator.withgoogle.com
+#
+# https://www.w3.org/TR/CSP/
+# https://owasp.org/www-project-secure-headers/#content-security-policy
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# https://developers.google.com/web/fundamentals/security/csp
+# https://content-security-policy.com/
+
 # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;