Advanced Security Headers Implementation
Advanced Security Headers Implementation
Implement advanced security headers for specific scenarios:
# Apache - Expect-CT for Certificate Transparency
Header always set Expect-CT "max-age=86400, enforce, report-uri=\"https://example.com/ct-report\""
# NEL (Network Error Logging)
Header always set NEL '{"report_to":"default","max_age":31536000,"include_subdomains":true}'
# Report-To header for various reporting
Header always set Report-To '{"group":"default","max_age":31536000,"endpoints":[{"url":"https://example.com/report"}],"include_subdomains":true}'
# Require-Trusted-Types-For (DOM XSS protection)
Header always set Require-Trusted-Types-For "'script'"
Header always set Trusted-Types "default"
# Nginx - Additional security headers
add_header Expect-CT 'max-age=86400, enforce, report-uri="https://example.com/ct-report"' always;
add_header NEL '{"report_to":"default","max_age":31536000,"include_subdomains":true}' always;
add_header Report-To '{"group":"default","max_age":31536000,"endpoints":[{"url":"https://example.com/report"}],"include_subdomains":true}' always;
add_header Require-Trusted-Types-For "'script'" always;
add_header Trusted-Types "default" always;