We deploy CSP Headers to all sites.
Sometimes they need to be modified based on the clients needs.
Now with RC we did this under the NGINX config section and put in there the Content Security Policy.
But with Enhance i've not been able to find this option.
Its not handy to but them as line by line items on a per site base.
By Default we deploy something like this:
add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self';";
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Cross-Origin-Embedder-Policy "(unsafe-none|require-corp); report-to='default'";
add_header Cross-Origin-Opener-Policy "(same-origin|same-origin-allow-popups|unsafe-none); report-to='default'";
add_header Cross-Origin-Resource-Policy "(same-site|same-origin|cross-origin)";
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
Would be nice to have something like this.
And also other options like block wp-trackback / restore cloudflare ip's etc.
