navigate-to looks useful to implement RE the 'to' header during login. login page should only go to /auth, ever.
style-src, script-src, prefetch-src, manifest-src, img-src, media-src sound interesting. We may be able to just set default-src and be done with it though. I have done so.
What is more important is the reporting URL. We probably need a dashboard of some kind, or to log it so that we can fail2ban em.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
navigate-to looks useful to implement RE the 'to' header during login. login page should only go to /auth, ever.
style-src, script-src, prefetch-src, manifest-src, img-src, media-src sound interesting. We may be able to just set default-src and be done with it though. I have done so.
What is more important is the reporting URL. We probably need a dashboard of some kind, or to log it so that we can fail2ban em.