diff --git a/swag/nginx/ssl.conf b/swag/nginx/ssl.conf index 78427e6..b54f8bc 100644 --- a/swag/nginx/ssl.conf +++ b/swag/nginx/ssl.conf @@ -38,7 +38,8 @@ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; prelo # Optional additional headers #add_header Cache-Control "no-transform" always; add_header Content-Security-Policy "default-src 'none'; connect-src * https:; font-src 'self'; img-src https: blob: data:; manifest-src 'self'; media-src *; script-src https:; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.recaptcha.net blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'"; -add_header Referrer-Policy "same-origin" always; +add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; add_header X-Content-Type-Options "nosniff" always; #add_header X-UA-Compatible "IE=Edge" always; add_header X-XSS-Protection "0" always; +add_header Expect-CT "enforce, max-age=63072000";