2014-10-30 10:59:06 +01:00
|
|
|
# The X-Frame-Options header indicates whether a browser should be allowed
|
|
|
|
|
# to render a page within a frame or iframe.
|
2014-10-28 22:28:03 +01:00
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
2015-12-04 15:25:31 +01:00
|
|
|
|
2014-10-30 10:59:06 +01:00
|
|
|
# MIME type sniffing security protection
|
|
|
|
|
# There are very few edge cases where you wouldn't want this enabled.
|
2014-10-28 22:28:03 +01:00
|
|
|
add_header X-Content-Type-Options nosniff;
|
2015-12-04 15:25:31 +01:00
|
|
|
|
2014-10-30 10:59:06 +01:00
|
|
|
# The X-XSS-Protection header is used by Internet Explorer version 8+
|
|
|
|
|
# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
|
2014-10-28 22:28:03 +01:00
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
2015-12-04 15:25:31 +01:00
|
|
|
|
2014-10-30 10:59:06 +01:00
|
|
|
# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
|
2014-10-28 22:28:03 +01:00
|
|
|
# you can tell the browser that it can only download content from the domains you explicitly allow
|
2014-10-30 10:59:06 +01:00
|
|
|
# CSP can be quite difficult to configure, and cause real issues if you get it wrong
|
|
|
|
|
# There is website that helps you generate a policy here http://cspisawesome.com/
|
|
|
|
|
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";
|
