X-Content-Type-Options, X-XSS-Protection, X-Frame-Options headers
It is a good practice to return a Content-Security-Policy
header as it prevents different types of XSS attacks.
This is what we currently use on our lstu server:
Content-Security-Policy: default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'unsafe-inline'
Here is what it means:
- By default only allow resources from the same domain.
- Don't allow objects and embeds.
- Only allow styles from the same domain or from inline styles.
- Only allow inline scripts.
I thought you might want to implement this directly into lstu.
It's also a good idea to define the following headers:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Edited by Luc Didry