Alan Orth
7ba5afcec4
Google's new Federated Learning of Cohorts (FLoC) will read user's browser history and assign them to cohorts to track them unless we set this header.
21 lines
1.2 KiB
Plaintext
21 lines
1.2 KiB
Plaintext
# The X-Frame-Options header indicates whether a browser should be allowed
|
|
# to render a page within a frame or iframe.
|
|
add_header X-Frame-Options SAMEORIGIN always;
|
|
|
|
# MIME type sniffing security protection
|
|
# There are very few edge cases where you wouldn't want this enabled.
|
|
add_header X-Content-Type-Options nosniff always;
|
|
|
|
# The X-XSS-Protection header is used by Internet Explorer version 8+
|
|
# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
|
|
# you can tell the browser that it can only download content from the domains you explicitly allow
|
|
# CSP can be quite difficult to configure, and cause real issues if you get it wrong
|
|
# There is website that helps you generate a policy here http://cspisawesome.com/
|
|
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
|
|
|
|
# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
|
|
add_header Permissions-Policy interest-cohort=() always;
|