Adding security-headers to get a rating

What do you mean? It works for me. Are you reading how each option works? Are you excluding domains that are essential to the appearance of your sites?
 
Hi @BillyS

Are you excluding domains that are essential to the appearance of your sites?
Click to expand...

How to "exclude" domains in DA to not break the appearance of the sites?

Because I did this with a wordpress plugin and the sites are clear and available for viewing.

Mz
 
Those security headers limit what can be shown on a website. If a site relies on content originating from somewhere else outside of the domain (JavaScript, image, css file), depending on what the header excludes that file will not be loaded to the browser. This will result in the site looking broken. For example, I send this:

strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
referrer-policy: strict-origin
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Code: 
context / {
    location      $DOC_ROOT/
    allowBrowse     1
    extraHeaders   Strict-Transport-Security: max-age=31536000
  }
  context / {
    location        $DOC_ROOT/
    allowBrowse     1
    extraHeaders   X-Content-Type-Options nosniff
  }
  context / {
    location    $DOC_ROOT/
    allowBrowse    1
    extraHeaders  X-Frame-Options SAMEORIGIN
  }
  context / {
    location      $DOC_ROOT/
    allowBrowse   1
    extraHeaders   Referrer-Policy strict-origin
  }
  context / {
    location    $DOC_ROOT/
    allowBrowse   1
    extraHeaders  Content-Security-Policy default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:
}
 
You must log in or register to reply here.
Back
Top