A new security header has been added to the https://securityheaders.com/ checking service, the Feature Policy header.
The Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser. In my case, on my both websites, I had blocked everything except the fullscreen feature.
This is the line I inserted in my ngnix configuration file to do that:
add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker none;vibrate none;fullscreen self;payment none;";
References
- Feature Policy - Draft Community Group Report, 26 July 2018 https://wicg.github.io/feature-policy/
- Introduction to Feature Policy by Eric Bidelman https://developers.google.com/web/updates/2018/06/feature-policy
- A new security header: Feature Policy <a href="https://scotthelme.co.uk/a-new-security-header-feature-policy/" title="A new security header: Feature Policy" https://scotthelme.co.uk/a-new-security-header-feature-policy/target="_blank">https://scotthelme.co.uk/a-new-security-header-feature-policy/
Analyse your HTTP response headers
Scan your site now at https://securityheaders.com/ and get a decent grade like A or A+, please.