-
-
Notifications
You must be signed in to change notification settings - Fork 125
/
_headers
10 lines (10 loc) · 1.27 KB
/
_headers
1
2
3
4
5
6
7
8
9
10
/*
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Referrer-Policy: no-referrer
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; publickey-credentials-get 'none'; usb 'none'; wake-lock 'none'; xr-spatial-tracking 'none'
# Unfortunately, for the moment we have to allow `unsafe-inline` for the stuff generated in `scripts.html`. We are also currently using inline styles. :(
Content-Security-Policy: default-src 'none'; child-src 'self'; connect-src 'self' https://backend.datenanfragen.de https://search.datenanfragen.de blob:; font-src data: https://static.dacdn.de; form-action 'self' https://www.paypal.com https://backend.datenanfragen.de; frame-src https://media.datenanfragen.de; img-src 'self' data:; media-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://static.dacdn.de/fonts/; worker-src 'self'; manifest-src 'self'
Cross-Origin-Opener-Policy: same-origin