Add security headers
Fixes #210 (closed)
What does this MR do?
We should have a content security policy and some other headers! It helps with XSS and other things, see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
How confident are you it won't break things if deployed?
Should be ok!
Won't do anything without the following added to a config file:
(this is a nice endpoint to report violations to sentry - see the foodsharing-csp project in sentry)
After some time making sure there are no more reports, can also then add:
This will then actually block violating requests.
Links to related issues
- added a test, or explain why one is not needed/possible... erm... could have added one ... sorry
- no unrelated changes
- asked someone for a code review
- joined #foodsharing-beta channel at https://slackin.yunity.org
- added an entry to CHANGELOG.md (description, merge request link, username(s))