Content-Security-Policy
I'm sharing this to get feedback if I can improve it or to help others. I didn't see anything about it in the documentation. From a bit of testing, I think the minimal Content-Security-Policy header permissions required on the server to allow selfoss to run are:
add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'none';" always;
(This is nginx syntax but you'll get the idea for Apache.)
Any thoughts, please? Maybe to add to the 'nginx configuration' wiki if it looks okay?