MerceMay

caddy/snippets/security/frame-options.snippet

0.3 KB · 9 lines · · 5e2a110
# caddy/snippets/security/frame-options.snippet
# DENY everywhere by default; apps that embed themselves (jellyfin
# book reader, etc) should replace with SAMEORIGIN.

header X-Frame-Options "DENY"
header X-Content-Type-Options "nosniff"
header Referrer-Policy "strict-origin-when-cross-origin"
header Permissions-Policy "interest-cohort=(), geolocation=(), camera=(), microphone=()"