Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Header

Value

Description

X-Content-Type-Options

nosniff

Helps prevent drive-by downloads.

Strict-Transport-Security

max-age=31536000; includeSubDomains

Puts a constraint on the browsers/users that the OpenSpecimen app should only be accessed using HTTPS.

Content-Security-Policy

script-src 'self' 'unsafe-eval';

Allow scripts only from the origin (OpenSpecimen app). No other external app scripts. Helps in preventing XSS.

X-Frame-Options

SAMEORIGIN

Allows framing of pages from the same origin. Helps in preventing click-jacking

Referrer-Policy

same-origin

Prevents sending referrer for cross-origin requests . Prevents and thereby accidental data leaks.

Permissions-Policy

accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=(self),gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(),sync-xhr=(self),usb=(),xr-spatial-tracking=()

Disable all browser features that are not used by the app.

...