mirror of
https://codeberg.org/PostERG/xamxam.git
synced 2026-06-25 16:19:19 +02:00
04094d802d
- Add Content-Security-Policy to main nginx server block (was only on /admin/) - Add Cross-Origin-Opener-Policy and Cross-Origin-Resource-Policy headers - Add includeSubDomains to HSTS header - Set HttpOnly, Secure, SameSite=Lax session cookie params on public pages (AdminAuth already hardens the /admin session with SameSite=Strict) - Update xamxam.conf.reference and SECURITY_HEADERS.md to match