81a28142a0
Adds the following headers as static:
X-Content-Type-Options "nosniff"
X-XSS-Protection "1; mode=block"
append Content-Security-Policy "default-src 'self' https: wss:;"
nosniff prevents non-executable mime times from becoming executable.
The X-XSS-Protection header will prevent the loading of a page if the
browser detects an xss attack. The Content-Security-Policy declares
what dynamic resources are allowed to load.
Adds the following header as user-setable via the
keystone_x_frame_options variable.
X-Frame-Options "DENY"
By default the X-Frame-Options header denies embedding in an iframe.
Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
Partial-Bug: 1717321
9 lines
405 B
YAML
9 lines
405 B
YAML
---
|
|
security:
|
|
- |
|
|
The following headers were added as additional default (and static) values.
|
|
`X-Content-Type-Options nosniff`, `X-XSS-Protection "1; mode=block"`, and
|
|
`Content-Security-Policy "default-src 'self' https: wss:;"`. Additionally,
|
|
the `X-Frame-Options DENY` header was added, defaulting to DENY. You may
|
|
override the header via the `keystone_x_frame_options` variable.
|