# Content Security Policy # # Should yield the following header: # "Content-Security-Policy: default-src 'self'; # script-src 'self' example.com;object-src 'none'; # upgrade-insecure-requests" # Note: embedded single quotes are required contentSecurityPolicy: useDefaults: false directives: default-src: ["'self'"] # Allow content only from same origin base-uri: ["'self'"] # Restrict tag font-src: # Allow font loading from safe sources - "'self'" - "https:" - "data:" form-action: ["'self'"] # Restrict form submissions frame-ancestors: ["'self'"] # Prevent clickjacking img-src: # Allow inline and local images - "'self'" - "data:" object-src: ["'none'"] # Disable usage script-src: # Disallow 3rd party scripts by default - "'self'" - example.com script-src-attr: ["'none'"] # Disallow inline script attributes style-src: # Inline styles okay for frameworks - "'self'" - "https:" - "'unsafe-inline'" upgrade-insecure-requests: [] # Auto-upgrade HTTP requests # Enforce embedding policies crossOriginEmbedderPolicy: policy: "require-corp" # Required for shared array buffers crossOriginOpenerPolicy: policy: "same-origin" # Isolate window/tab from others crossOriginResourcePolicy: policy: "same-origin" # Limit loading of cross-origin resources # Use origin-based isolation for threads originAgentCluster: true # Limit what referrer info is sent referrerPolicy: policy: "no-referrer" # Force HTTPS in browsers strictTransportSecurity: maxAge: 15552000 # 180 days includeSubDomains: true preload: true # Don't allow content sniffing xContentTypeOptions: true # Disable DNS prefetching dnsPrefetchControl: allow: false # Prevent page from being embedded in