Skip to content

Add CSP headers to all sites

The CSP module should be added by default.

More related links:

At the same time, let's improve http headers in general. Sites should be tested with Dries' tool and all headers are explained here

  • Remove server
  • Add strict-transport-security: max-age=31536000; includeSubDomains
  • Add content-security-policy - will be done by the CSP module
  • Add referrer-policy: same-origin
  • Add permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), microphone=(), payment=(), usb=()
  • Add cross-origin-embedder-policy: unsafe-none
  • Add cross-origin-opener-policy: same-origin
  • Add cross-origin-resource-policy: cross-origin
  • Add x-permitted-cross-domain-policies: none
Edited by jurgenhaas