Currently, I inject additional security headers with nginx. I'm really fine with it, since they don't apply, when I call the Docker image by itself, what makes debugging way easier. But the normal folk would just ignore it, even if they would really enhance security.
Sadly, the unsafe-inline is still needed, like for the highlight color, but they don't hit the score from most security tests that much.
Maybe one can send them with the nginx, which is provided with the docker file. Those, with an own nginx, like me, still directly go to port 8001 instead 8000, but others would be happy with this additional security options.
The X-Robots-Tag is also available as meta tag, which could be injected via nginx too:
Currently, I inject additional security headers with nginx. I'm really fine with it, since they don't apply, when I call the Docker image by itself, what makes debugging way easier. But the normal folk would just ignore it, even if they would really enhance security.
Currently I have:
Sadly, the
unsafe-inline
is still needed, like for the highlight color, but they don't hit the score from most security tests that much.Maybe one can send them with the nginx, which is provided with the docker file. Those, with an own nginx, like me, still directly go to port
8001
instead8000
, but others would be happy with this additional security options.The
X-Robots-Tag
is also available as meta tag, which could be injected via nginx too: