Security Headers Issue



  • Hi,

    I wanted to add these Headers to my apache config, as suggested my securityheaders.io:

    Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options: "nosniff"
    Header set Content-Security-Policy "default-src 'self';"

    (I didn't add the Public-Key-Pin, which might be an overkill for a hobby site)

    However, these options really f*** up roundcubemail. It's not possible to see mails or change between apps. Also it's impossible to log out anymore.

    Can at least some of these options be applied, and if yes, which settings are the best choice?

    Thanks for reading,
    Roland.


Log in to reply