Cross-Origin-Embedder-Policyhas only one possible value:
Cross-Origin-Resource-Policyset with a value of
'same-origin'is more secure than using
'same-site'due to the technical meanings of
site. See Consider deploying Cross-Origin Resource Policy for details.
Cross-Origin-Opener-Policyset with the
'same-origin'is a safe, locked down policy. See Making your website "cross-origin isolated" using COOP and COEP for details.
'script'prevents DOM injection sinks. However it is a relatively new
CSPdirective that is not fully supported by all browsers. FireFox will, e,g., mark it as 'unknown' but this does not prevent its use. I presume Chrome recognizes it as it's a directive stated by Google on https://csp-evaluator.withgoogle.com/ as both recognized and suggested for use as a recommended security measure.
'upgrade-insecure-requests'is effectively a noop when
block-all-mixed-contentis set. However, I still use both.
- One may set the HTTP header
Strict-Transport-Securityto the current recommended value of two years instead of one year, which is only what the CloudFlare Dash allows by setting a value of
max-age=63072000; includeSubDomains; preloadusing CloudFlare Workers as is shown above.
- There are optional headers that will not affect a site's security per se but do add privacy enhancements depending on one's site's/application's needs:
Clear-Site-Data(which also has the benefit of cache-busting if one needs a simple way to force browsers/user-agents to clear their cache when one's site loads).
offis a good header to use when you don't want to leak information to sites linked-to on one's own site. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control.
X-Frame-Optionsheader has been obsoleted by the
Content-Security-PolicyHowever, considering the fact that a small minority of sites employ
CSPwhatsoever, and that only a small minority of those utilize
nonewhich would properly protect against clickjacking attacks, I still employ
DENYfor sake of completeness / defense in depth / to support older UAs such as Internet Explorer and early releases of FireFox, Chromium, Safari, etc.