セキュリティ用ヘッダの追加
Opened this issue · 0 comments
gallu commented
以下、一端メモ
config設定あり
X-Frame-Options: SAMEORIGIN
DENY
ALLOW-FROM origin_uri
Frame-Options?
Content-Security-Policy: default-src 'self'
default-src 'self' *.example.com
config設定(一端)なし
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
どしよ?
Access-Control-Allow-Origin
Strict-Transport-Security
X-XSS-Protection