Server Configs

Pick your Config

Depending on the server that your site is hosted with, you can use the following guides & snippets to configure your server's settings and header output.

• Apache / .htaccess
• Nginx / .conf

Security Headers

These rules currently exist both in the server config files (.htacess / nginx.conf) as well as the store cssui-html-profile.mvt template. If you need to make any adjustments to a particular header, please ensure they are updated in both locations.

• Referrer-Policy controls how much referrer information (sent via the Referrer header){target=_blank} should be included with requests.
• Strict-Transport-Security is being used to enforce HTTPS.
• X-Content-Type-Options is being used to prevent MIME-sniffing attacks.
• X-XSS-Protection is being used against XSS attacks to prevent page from rendering.

• Content-Security-Policy is additional prevention from XSS attacks since XSS isn't supported on some browsers. Adding these directives to CSP header may have certain implications for future 3rd Party additions (ex. YouTube embed, 3rd-party JS/CSS/Image services, Google Analytics ect).

  default-src 'self' https: wss:;
  script-src 'self' https: 'unsafe-inline';
  style-src https: 'unsafe-inline';
  base-uri 'self' https:;
  font-src 'self' https: data:;
  img-src 'self' data: https:;
  frame-ancestors 'self';
  object-src 'none';
  upgrade-insecure-requests;
  block-all-mixed-content;
  

  Below are ways to resolve issues with some of these rules/directives.

  If inline scripts / 3rd party services are getting blocked try using a hash or nonce (unsafe inline also works but removes some security benefits of CSP)