Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Set X-XSS-Protection to 1; mode=block. #1550
Before submitting your PR, check that you've:
After submitting your PR:
Aug 6, 2018
As a side note, there are other security headers that people should maybe add:
They require more custom configuration compared to this one, so there isn't much a library would really be adding, but it would be cool if Yesod developers were encouraged to use them. Not sure the best way to do that—maybe some commented out code in the scaffolding?
referenced this pull request
Aug 6, 2018
I think the best default you could give is to set the
Referrer-Policy seems fine to enable by default. My understanding is that it improves privacy by concealing where users came from.
Feature-Policy is brand spanking new, like it was on Hacker News last week, so I don't have comments on it really. But it lets you do things like prevent the site from vibrating the phone
I'm a bit late to the party here, but found this issue via the changelog. It's a chrome specific feature, but would be nice to allow setting a
You can combine both block and report, so it would look something like this: