10-09-2019, 11:55 AM
Hi Magnus. I have suggestions to you add in your headers:
Now, i suggest you be careful and test all your application running all forms with console opened.
This is working FOR ME, make all your adjustment for your needs.
Code:
Referrer-Policy -> same-origin
Strict-Transport-Security -> max-age=15768000; includeSubDomains; preload
X-Content-Type-Options -> nosniff
X-Permitted-Cross-Domain-Policies -> master-only
X-XSS-Protection -> 1; mode=blockCode:
Content-Security-Policy -> default-src 'self' https: 'unsafe-inline' 'unsafe-eval'; img-src 'self' https: data:; object-src https 'self'; media-src 'self' https:; style-src 'self' https: 'unsafe-inline'; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; frame-ancestors https: 'self' *.facebook.com; base-uri 'self' https: