express-csp/csp-policy.yml

# Content Security Policy
#
# Should yield the following header:
# "Content-Security-Policy: default-src 'self';
#      script-src 'self' example.com;object-src 'none';
#      upgrade-insecure-requests"
# Note: embedded single quotes are required
contentSecurityPolicy:
  useDefaults: false
  directives:
    default-src: ["'self'"]                # Allow content only from same origin
    base-uri: ["'self'"]                   # Restrict <base> tag
    font-src:                              # Allow font loading from safe sources
      - "'self'"
      - "https:"
      - "data:"
    form-action: ["'self'"]                # Restrict form submissions
    frame-ancestors: ["'self'"]            # Prevent clickjacking
    img-src:                               # Allow inline and local images
      - "'self'"
      - "data:"
    object-src: ["'none'"]                 # Disable <object> usage
    script-src:                            # Disallow 3rd party scripts by default
      - "'self'" 
      - example.com
    script-src-attr: ["'none'"]            # Disallow inline script attributes
    style-src:                                          # Inline styles okay for frameworks
      - "'self'"
      - "https:"
      - "'unsafe-inline'"
    upgrade-insecure-requests: []          # Auto-upgrade HTTP requests

# Enforce embedding policies
crossOriginEmbedderPolicy:
  policy: "require-corp"                   # Required for shared array buffers

crossOriginOpenerPolicy:
  policy: "same-origin"                    # Isolate window/tab from others

crossOriginResourcePolicy:
  policy: "same-origin"                    # Limit loading of cross-origin resources

# Use origin-based isolation for threads
originAgentCluster: true

# Limit what referrer info is sent
referrerPolicy:
  policy: "no-referrer"

# Force HTTPS in browsers
strictTransportSecurity:
  maxAge: 15552000                         # 180 days
  includeSubDomains: true
  preload: true

# Don't allow content sniffing
xContentTypeOptions: true

# Disable DNS prefetching
dnsPrefetchControl:
  allow: false

# Prevent page from being embedded in <iframe>
frameguard:
  action: "SAMEORIGIN"

# Block Flash and Acrobat cross-domain access
permittedCrossDomainPolicies:
  permittedPolicies: "none"

# Hide the Express server signature
hidePoweredBy: true