...
Following headers must be set in the responses generated by the OpenSpecimen instanceapp. This ensures users have a reduced risk of security issues like XSS, clickjacking, drive-by downloads etc.
Header | Value | Description |
|---|---|---|
X-Content-Type-Options | nosniff | Helps prevent drive-by downloads. |
Strict-Transport-Security | max-age=31536000; includeSubDomains | Puts a constraint on the browsers/users that the OpenSpecimen app should only be accessed using HTTPS. |
Content-Security-Policy | script-src 'self' 'unsafe-eval'; | Allow scripts only from the origin (OpenSpecimen app). No other external app scripts. Helps in preventing XSS. |
X-Frame-Options | SAMEORIGIN | Allows framing of pages from the same origin. Helps in preventing click-jacking |
Referrer-Policy | same-origin | Prevents sending referrer for cross-origin requests . Prevents and thereby accidental data leaks. |
Permissions-Policy | accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(self),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(self),usb=(),xr-spatial-tracking=() | Disable all browser features that are not used by the app. |
...