Security Headers
Good configurations are safe by default, allow flexibility, and warn against mistakes.
Allow users to configure these in a guided manner. I.e. not just as free text custom headers, but as named options with sensible defaults and data validation.
Measurements
Headers to Implement
-
Strict-Transport-Security (HSTS) #29 (closed) -
Content-Security-Policy -
Public-Key-Pins -
X-Frame-Options -
X-Xss-Protection -
X-Content-Type-Options -
Referrer-Policy
Edited by Sebastiaan Deckers