Add modern security header rules

2026-04-27 10:01:47 +07:00 · 2026-04-27 10:01:47 +07:00 · 01bdadd2ab
commit 01bdadd2ab
parent 542ebdea34
3 changed files with 352 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -21,8 +21,14 @@ relies on TLS for transport.
 | `http.x_frame_options`            | `X-Frame-Options` or CSP `frame-ancestors` provides clickjacking protection.      |
 | `http.x_content_type_options`     | `X-Content-Type-Options: nosniff` is set.                                         |
 | `http.x_xss_protection`           | Reports the legacy `X-XSS-Protection` header (recommendation: disable).           |
+| `http.referrer_policy`            | `Referrer-Policy` is set to a privacy-preserving value (W3C Referrer Policy).     |
+| `http.permissions_policy`         | `Permissions-Policy` is set (W3C Permissions Policy, replaces Feature-Policy).    |
+| `http.coop`                       | `Cross-Origin-Opener-Policy` isolates the document from cross-origin windows.     |
+| `http.coep`                       | `Cross-Origin-Embedder-Policy` requires CORP/CORS opt-in for embedded resources.  |
+| `http.corp`                       | `Cross-Origin-Resource-Policy` restricts cross-origin embedding of responses.     |
 | `http.cookie_flags`               | Every Set-Cookie has `Secure`, `HttpOnly`, and a `SameSite` attribute.            |
 | `http.sri`                        | Cross-origin `<script>`/`<link>` tags carry `integrity=` (Subresource Integrity). |
+| `http.security_txt`               | `/.well-known/security.txt` is published (RFC 9116).                              |

 ## Options