privsec.dev/static/_headers
Tommy 0e8925f20b
Rearrange CSP policies (#258)
Signed-off-by: Tommy <contact@tommytran.io>
2024-06-23 12:54:59 -07:00

53 lines
3.6 KiB
Plaintext

/*
Strict-Transport-Security : max-age=63072000; includeSubDomains; preload
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'none'; block-all-mixed-content; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests
X-Content-Type-Options : nosniff
Referrer-Policy : no-referrer
X-Frame-Options : DENY
X-XSS-Protection : 0
Permissions-Policy : accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), sync-xhr=(), xr-spatial-tracking=()
Cross-Origin-Resource-Policy : same-origin
Cross-Origin-Embedder-Policy : require-corp
# Cross-Origin-Opener-Policy : same-origin
/posts/knowledge/multi-factor-authentication/
! Content-Security-Policy
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
Cross-Origin-Embedder-Policy : unsafe-none
/posts/android/android-tips/
! Content-Security-Policy
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
Cross-Origin-Embedder-Policy : unsafe-none
/posts/android/choosing-your-android-based-operating-system/
! Content-Security-Policy
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
Cross-Origin-Embedder-Policy : unsafe-none
/posts/linux/choosing-your-desktop-linux-distribution/
! Content-Security-Policy
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
Cross-Origin-Embedder-Policy : unsafe-none
/posts/linux/desktop-linux-hardening/
! Content-Security-Policy
Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'
Cross-Origin-Embedder-Policy : unsafe-none
/*.xml
! Content-Security-Policy
Content-Security-Policy : default-src 'none'; img-src 'self' data: https://www.w3.org/; style-src 'self' 'unsafe-inline'; block-all-mixed-content; base-uri 'none'
/*.png
! Content-Security-Policy
Cross-Origin-Resource-Policy : cross-origin
/*.jpg
! Content-Security-Policy
Cross-Origin-Resource-Policy : cross-origin
/.well-known/openpgpkey/hu/*
! Content-Security-Policy
Access-Control-Allow-Origin: *