Referrer-Policy HTTP header to no-referrer. As Galène JavaScript code does not user referrer information, I believe it makes sense to disable it for privacy reasons.
X-Content-Type-Options to nosniff to ensure that browsers load CSS and JS only if the MIME type is correct. This may protect against some types of XSS attacks.
I have put this code inside cspHeader function as it seems to make sense there, but maybe the function should be renamed securityHeaders.
This pull request proposes to set:
Referrer-Policy
HTTP header tono-referrer
. As Galène JavaScript code does not user referrer information, I believe it makes sense to disable it for privacy reasons.X-Content-Type-Options
tonosniff
to ensure that browsers load CSS and JS only if the MIME type is correct. This may protect against some types of XSS attacks.I have put this code inside
cspHeader
function as it seems to make sense there, but maybe the function should be renamedsecurityHeaders
.