Commit 90257be7 authored by Mark van Lent's avatar Mark van Lent

Include Feature-Policy header in Nginx config.

For more information, see
https://scotthelme.co.uk/a-new-security-header-feature-policy/
parent 0b20326f
......@@ -20,6 +20,7 @@ server {
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' disqus.com/api/3.0/threads/set.jsonp a.disquscdn.com/embed.js vlent.disqus.com; style-src 'self' a.disquscdn.com; img-src 'self' referrer.disqus.com/juggler/stat.gif a.disquscdn.com/next/embed/assets/img/; frame-src disqus.com a.disquscdn.com; child-src disqus.com a.disquscdn.com; object-src 'none'; upgrade-insecure-requests; reflected-xss block;";
add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
server_tokens off;
# Location of the content
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment