Add CSP headers to all sites
The CSP module should be added by default.
More related links:
At the same time, let's improve http headers in general. Sites should be tested with Dries' tool and all headers are explained here
- Remove
server - Add
strict-transport-security: max-age=31536000; includeSubDomains - Add
content-security-policy- will be done by the CSP module - Add
referrer-policy: same-origin - Add
permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=() - Add
cross-origin-embedder-policy: unsafe-none - Add
cross-origin-opener-policy: same-origin - Add
cross-origin-resource-policy: cross-origin - Add
x-permitted-cross-domain-policies: none
Edited by jurgenhaas