Emit default CSP headers with: - [ ] [`Dream.html`](https://aantron.github.io/dream/#val-html) - [ ] [`Dream.static`](https://aantron.github.io/dream/#val-static) when returning static HTML pages. <br> - [ ] In particular, include a policy for frames, to mitigate clickjacking by default. - [ ] Add a handler for logging CSP violation reports. - [ ] Document everything. Link to MDN and offer basic warnings and guidance. Create a CSP tutorial or example. <br> - [ ] [`frame-ancestors`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) - [ ] https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html - [ ] https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html <br> It's probably best to: - [ ] Provide an example that shows CSP in action, as well as reporting. - [ ] Link to the example from `Dream.html`.
Emit default CSP headers with:
Dream.htmlDream.staticwhen returning static HTML pages.frame-ancestorsIt's probably best to:
Dream.html.