diff --git a/public/.htaccess b/public/.htaccess index be5cd6fb5..256201c31 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -26,8 +26,11 @@ Options +ExecCGI +Includes +IncludesNOEXEC +SymLinksIfOwnerMatch -Indexes Header always set X-Frame-Options "SAMEORIGIN" - Header add Content-Security-Policy "script-src 'unsafe-inline'" - Header add Content-Security-Policy "font-src 'self', '*googleapis.com'" + Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'" + Header add Content-Security-Policy "style-src 'self' 'unsafe-inline' fonts.googleapis.com" + Header add Content-Security-Policy "font-src 'self' fonts.googleapis.com fonts.gstatic.com" + Header add Content-Security-Policy "object-src 'none'" + Header add Content-Security-Policy "form-action 'self'" Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "DENY"