- Commented out CSP (needs input on remote includes in sr.ht)
- XFO / XSS / Content-Type all common headers
- Strict cross origin referrer policy to prevent data leaks
Almost +1 here, I'm gonna drop autoplay cause sourcehut.org may use this
to demonstrate new features (with mute autoplay loop videoes) in the
future and who knows if other domains might want that.
"preload" can be dangerous if enabled on a whim:
https://hstspreload.org/#opt-in
Preload + hstspreload.org submission will make browsers *always* use
HTTPS for sr.ht + subdomains with no workaround (if cert is invalid
there won't be a "load site anyway" button in the browser UI).
In 2019 SSL certs are available for free so it's not a big problem but I
think it's good to point out the ramifications of this process: removing
HSTS preload would take months until new browser versions roll out (they
ship with HSTS preload list) so well... better to know what's going on
beforehand.
Kind regards,
Wiktor
Upgrade-Insecure-Request seems to be a request header (that is sent by
clients, not servers). More info on MDN:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
and in the spec:
https://w3c.github.io/webappsec-upgrade-insecure-requests/#preference
Kind regards,
Wiktor