| Line 293... |
Line 293... |
| 293 |
# Prevent browsers from incorrectly detecting non-scripts as scripts
|
293 |
# Prevent browsers from incorrectly detecting non-scripts as scripts
|
| 294 |
Header always set X-Content-Type-Options nosniff
|
294 |
Header always set X-Content-Type-Options nosniff
|
| 295 |
# Cors
|
295 |
# Cors
|
| 296 |
Header always set Access-Control-Allow-Origin "*"
|
296 |
Header always set Access-Control-Allow-Origin "*"
|
| 297 |
# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https
|
297 |
# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https
|
| 298 |
Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src https://use.fontawesome.com https://fonts.gstatic.com/; form-action 'self'; img-src 'self' data: https://assets.sheetmusicplus.com https://d115fki8ibznml.cloudfront.net https://i5.wal.co https://i5.walmartimages.com https://images.samash.com https://img.discogs.com https://thumbs1.ebaystatic.com https://thumbs2.ebaystatic.com https://thumbs3.ebaystatic.com https://thumbs4.ebaystatic.com https://www.musicnotes.com https://www.secondspin.com; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/ https://use.fontawesome.com/releases/v5.8.1/css/ https://fonts.googleapis.com/;frame-ancestors 'self'"
|
298 |
Header always set Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src https://use.fontawesome.com https://fonts.gstatic.com/; form-action 'self'; img-src 'self' data: https://assets.sheetmusicplus.com https://d115fki8ibznml.cloudfront.net https://i5.wal.co https://i5.walmartimages.com https://images.samash.com https://img.discogs.com https://thumbs1.ebaystatic.com https://thumbs2.ebaystatic.com https://thumbs3.ebaystatic.com https://thumbs4.ebaystatic.com https://www.musicnotes.com https://www.secondspin.com https://lh4.googleusercontent.com http://abs.twimg.com https://platform-lookaside.fbsbx.com/platform/profilepic; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js; style-src 'self' 'unsafe-inline' https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/ https://use.fontawesome.com/releases/v5.8.1/css/ https://fonts.googleapis.com/;frame-ancestors 'self'"
|
| 299 |
# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do
|
299 |
# Disable referrers for browsers that don't support strict-origin-when-cross-origin; Uses strict-origin-when-cross-origin for browsers that do
|
| 300 |
Header always set Referrer-Policy "no-referrer"
|
300 |
Header always set Referrer-Policy "no-referrer"
|
| 301 |
# Only allow my site to frame itself
|
301 |
# Only allow my site to frame itself
|
| 302 |
#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"
|
302 |
#add above# Header always add Content-Security-Policy "frame-ancestors 'self'"
|
| 303 |
Header always set X-Frame-Options SAMEORIGIN
|
303 |
Header always set X-Frame-Options SAMEORIGIN
|