I have my TTRSS instance up and running (and it is great ) ), but I would like to work on the web server configuration to follow the best practices.
As I understand it, there is several additionnal HTTP headers that can lower the likeliness of your site or your users being targeted by attackers.
However, if I understand things correctly, some of these “secure headers” would break ttrss. (like Content Security Policy other than unsafe-inline, if I understood that thread correctly).
So, what do you use for your web server settings for ttrss, or what would you recommend ?
(I use those so far :
Header always set X-XSS-Protection "1; mode=block" Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains" Header always set X-Content-Type-Options "nosniff" Header always unset "X-Powered-By" Header unset "X-Powered-By" Header always set X-Frame-Options SAMEORIGIN Header always set Content-Security-Policy "unsafe-inline"
Thanks a lot.
P.S. : Another thing on headers : should I modify the Content-Type for generated feeds to be RSS specific (like
application/rss+xml or something ?