Security header merupakan komponen yang cukup penting pada konfigurasi web server. Memastikan implementasinya juga tidak kalah pentingnya.
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options "nosniff"; add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Strict-Transport-Security "max-age=16070400; includeSubDomains"; add_header X-XSS-Protection "1; mode=block"; add_header Permissions-Policy "microphone=()"; #add_header Cross-Origin-Resource-Policy "(same-site|same-origin|cross-origin)"; #add_header Cross-Origin-Opener-Policy "(same-origin|same-origin-allow-popups|unsafe-none); report-to='default'"; #add_header Cross-Origin-Embedder-Policy "(unsafe-none|require-corp); report-to='default'"; #add_header Content-Seurity-Policy "default-src 'self'"; #add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self' https://www.google-analytics.com/analytics.js; style-src 'unsafe-hashes' 'unsafe-inline' 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self' http://10.10.1.16:8080 https://sentry.dot.co.id https://www.google-analytics.com; font-src 'data:' 'self' https://fonts.gstatic.com; frame-src 'self' http://10.10.1.16:8080; img-src 'self' 'data:' https://www.google-analytics.com; manifest-src 'self'; media-src 'self'; report-uri ''; worker-src 'none';"; #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'none'; style-src 'self';base-uri 'self';form-action 'self'";
Saya catat di sini untuk dokumentasi pribadi. Penjelasan untuk tiap security headernya dapat di baca di referensi di bawah.