I noticed today that my CSP (Content-Security-Policy) Caddyās baty.net virtual host was not working. Whoops. I think Iāve fixed it, but if you spot any weird loading issues let me know. Hereās the relevant section from my Caddyfile:
header * { Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com/; style-src 'self' https://fonts.googleapis.com/; script-src 'self' https://plausible.io; connect-src 'self'" Cross-Origin-Embedder-Policy "require-corp" Cross-Origin-Opener-Policy "same-origin-allow-popups" Cross-Origin-Resource-Policy "same-origin" Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), cross-origin-isolated=(self), display-capture=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), keyboard-map=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self), publickey-credentials-get=(self), screen-wake-lock=(self), sync-xhr=(self), usb=(self), xr-spatial-tracking=(self)" Server "baty.net" Strict-Transport-Security max-age=31536000; X-Content-Type-Options nosniff X-Frame-Options DENY X-XSS-Protection "0" } FWIW, Iām back to an āAā rating at securityheaders.com.
...