melish
commented
6 years ago Fixed with some warnings. For the moment X-Frame-Options allows anybody to iframe ecolex
Closed melish closed 6 years ago
melish
commented
6 years ago Fixed with some warnings. For the moment X-Frame-Options allows anybody to iframe ecolex
melish
commented
6 years ago Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "ALLOWALL"
Header always set Referrer-Policy "unsafe-url"
Header always set Content-Security-Policy "script-src 'self' https://d3js.org https://datamaps.github.io https://www.google-analytics.com 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' https://www.google-analytics.com; font-src 'self' https://fonts.gstatic.com;"
https://securityheaders.io/?q=www.ecolex.org&hide=on&followRedirects=on
except X-Frame-Options, because we will need to allow embedding at some point.