365DevNet/365devnet
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Cross-Origin Resource Policy headers for enhanced security

Browse Source 
- Introduced Cross-Origin-Resource-Policy header in server.js, nginx.conf, and _headers to restrict resource sharing to same-site origins, improving security against cross-origin attacks.
- Ensured consistent application of Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy across server and nginx configurations for better resource management.
This commit is contained in:
Richard Bergsma
2025-11-18 22:56:56 +01:00
parent 6fa07b4b63
commit 8e7ee9dba4
4 changed files with 121 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nginx/nginx.conf
View File

@@ -54,6 +54,9 @@ http {
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), interest-cohort=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "credentialless" always;
add_header Cross-Origin-Resource-Policy "same-site" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Client body size limit