Last active
June 15, 2020 08:50
-
-
Save 0xHexE/1c4fe2aa6d6333df1d6756986b19380c to your computer and use it in GitHub Desktop.
Security checklist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| add_header Strict-Transport-Security: max-age=31536000 ; includeSubDomains; | |
| # TODO: Change hash more info https://owasp.org/www-project-secure-headers/ | |
| add_header Public-Key-Pins: pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM="; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; report-uri="http://example.com/pkp-report"; max-age=10000; includeSubDomains; | |
| # disable it until it is a special requirement | |
| add_header X-Frame-Options: deny | |
| # If you have report url then =http://[YOURDOMAIN]/your_report_URI | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| # Prevent the browser from interpreting files as a different MIME type | |
| add_header X-Content-Type-Options "nosniff" always; | |
| # Customize Content-Security-Policy according to your need to make it more strict for better effect. | |
| add_header Content-Security-Policy: script-src 'self'; | |
| add_header Referrer-Policy: no-referrer; | |
| # If you have report url then =http://[YOURDOMAIN]/your_report_URI | |
| add_header Expect-CT: max-age=86400, enforce; | |
| # Customize Feature-Policy according to your need to make it more strict for better effect. | |
| add_header Feature-Policy: vibrate 'none'; geolocation 'none'; camera 'none'; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment