Headers

In System Tools > Settings > Security there are 2 header related options:

  • Use CTO and STS headers
    • X-Content-Type-Options: nosniff
    • Strict-Transport-Security: max-age=$HSTSSeconds; includeSubDomains
      • $HSTSSeconds is set in noodle.properties (6 months default)
      • Only set if HTTPS is in use
  • Use RT, CSP, FO, XSSP headers
    • Report-To: ...1 day... /CSP.po
      • If Chrome or Edge of supporting versions
    • Content-Security-Policy: $CSP
      • $CSP varies depending on the page served
    • X-Frame-Options: SAMEORIGIN
    • Referrer-Policy: strict-origin-when-cross-origin
    • X-XSS-Protection: 1