From b53769462bf830f860b7d741a3d0801afdbc9aa2 Mon Sep 17 00:00:00 2001 From: Alan Pearce Date: Thu, 30 May 2024 14:01:35 +0200 Subject: feat: make security headers stricter --- defaults.toml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'defaults.toml') diff --git a/defaults.toml b/defaults.toml index 3822d02..6285de0 100644 --- a/defaults.toml +++ b/defaults.toml @@ -20,16 +20,16 @@ ExtraHeadHTML = '' # Content-Security-Policy header to send with requests. Should only need changing if ExtraHeadHTML is used. [Web.ContentSecurityPolicy] -base-uri = [] +base-uri = ["'none'"] block-all-mixed-content = false child-src = [] -connect-src = [] -default-src = ["'self'"] +connect-src = ["'self'"] +default-src = ["'none'"] font-src = [] -form-action = [] +form-action = ["'self'"] frame-ancestors = [] frame-src = [] -img-src = [] +img-src = ["'self'"] manifest-src = [] media-src = [] navigate-to = [] @@ -45,7 +45,7 @@ sandbox = '' script-src = [] script-src-attr = [] script-src-elem = [] -style-src = [] +style-src = ["'self'"] style-src-attr = [] style-src-elem = [] trusted-types = [] @@ -54,7 +54,9 @@ worker-src = [] # Extra headers to send with HTTP requests [Web.Headers] +strict-transport-security = 'max-age=31536000' x-content-type-options = 'nosniff' +x-frame-options = 'DENY' # Settings for the import job [Importer] -- cgit 1.4.1