Update headers.conf

4 years ago · 8b8da74d2e
parent 469258341b
commit 8b8da74d2e
1 changed files with 3 additions and 4 deletions
--- a/nginx/snippets/headers.conf
+++ b/nginx/snippets/headers.conf
@ -1,6 +1,5 @@
 add_header Cache-Control "no-transform";
-add_header X-XSS-Protection "1; mode=block";
-add_header Referrer-Policy "no-referrer";
 add_header X-UA-Compatible "IE=Edge";
-add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://*.example.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapi.com https://cdnjs.cloudflare.com https://*.example.com; img-src * data: https:; font-src 'self' data: https: https://*.example.com https://cdnjs.cloudflare.com https://fonts.gstatic.com; object-src 'none'; frame-src *; frame-ancestors 'self'; upgrade-insecure-requests";
-add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'self'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'none'; vr 'none'";
+add_header Content-Security-Policy "default-src 'self'; base-uri 'none'; object-src 'none'; manifest-src 'self'; script-src 'self' 'unsafe-inline' https://email.example.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://email.example.com https://cdnjs.cloudflare.com; img-src 'self' data: https: blob:; font-src 'self' data: https:; connect-src 'self'; media-src 'self'; frame-ancestors 'self'; worker-src 'self' blob:; upgrade-insecure-requests";
+add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'self'; autoplay 'none'; camera 'none'; encrypted-media 'self'; fullscreen 'self'; geolocation 'self'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self'; speaker 'none'; sync-xhr 'self' https://haveibeenpwned.com https://twofactorauth.org; usb 'self'; vr 'none'";
+add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self);microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()";