From af2bcf2e7dc848906c6a75ece6b99a5193bd8058 Mon Sep 17 00:00:00 2001 From: LRVT <21357789+l4rm4nd@users.noreply.github.com> Date: Wed, 14 Feb 2024 17:47:39 +0100 Subject: [PATCH] Update fileConfig.yml add missing permission policy + csp directives --- examples/traefik/fileConfig.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/traefik/fileConfig.yml b/examples/traefik/fileConfig.yml index d3844fa..c33227a 100644 --- a/examples/traefik/fileConfig.yml +++ b/examples/traefik/fileConfig.yml @@ -58,7 +58,7 @@ http: Server: "" # prevent version disclosure X-Powered-By: "" # prevent version disclosure X-Forwarded-Proto: "https" - #Permissions-Policy: "geolocation=(self), midi=(self), camera=(self), usb=(self), magnetometer=(self), accelerometer=(self), gyroscope=(self), microphone=(self)" + #Permissions-Policy: "accelerometer=(), autoplay=(), camera=(), display-capture=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()" #Cross-Origin-Embedder-Policy: "unsafe-none" #Cross-Origin-Opener-Policy: "same-origin" #Cross-Origin-Resource-Policy: "same-site" @@ -76,7 +76,7 @@ http: stsIncludeSubdomains: true # HTTP-Strict-Transport-Security (HSTS) stsSeconds: 63072000 # HTTP-Strict-Transport-Security (HSTS) stsPreload: true # HTTP-Strict-Transport-Security (HSTS) - #contentSecurityPolicy: "block-all-mixed-content" # Content-Security-Policy (CSP) + #contentSecurityPolicy: "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" # Content-Security-Policy (CSP) # Authelia guard authelia: