Closed
Description
Describe the change
Add a default csp to allow only internal resources but block anything else.
Current situation
There is no csp by default. Deployments required to add these to traffic proxies (ingresses).
Should
nginx add headers:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;";