Open pinae opened 10 years ago
We should activate Content Security Policy to prevent cross-site-scripting attacks. As this leaves browsers vulnerable to attacks by uploaded .gif images we should also send the header:
X-Content-Type-Options: nosniff
In nginx this can be configured by adding
add_header X-Content-Type-Options nosniff
for Apache this should help: https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header
We should activate Content Security Policy to prevent cross-site-scripting attacks. As this leaves browsers vulnerable to attacks by uploaded .gif images we should also send the header:
In nginx this can be configured by adding
for Apache this should help: https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header