Last active
April 3, 2017 19:40
-
-
Save section-io-gists/39e0ddc31cdd7ca8ae33 to your computer and use it in GitHub Desktop.
Send standard HTTPS security headers with VCL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sub vcl_deliver { | |
set resp.http.X-Frame-Options = "SAMEORIGIN"; | |
set resp.http.X-XSS-Protection = "1; mode=block"; | |
set resp.http.X-Content-Type-Options = "nosniff"; | |
set resp.http.Strict-Transport-Security= "max-age=31536000; includeSubDomains"; | |
set resp.http.Content-Security-Policy-Report-Only = "default-src 'self' ; script-src 'self' r-login.wordpress.com s0.wp.com s1.wp.com s2.wp.com stats.wp.com 0.gravatar.com platform.twitter.com; style-src 'self' s2.wp.com 0.gravatar.com fonts.googleapis.com; img-src 'self' pixel.wp.com 2.gravatar.com ; font-src 'self' data: fonts.gstatic.com; upgrade-insecure-requests; report-uri https://example.report-uri-example.io/report/example-endpoint;"; | |
unset resp.http.Server; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment