Security measures in Open Product
===================================

The following is a non-exhaustive list of configurations in Open Product to enhance
security.

Nginx template considerations
-----------------------------

When deploying Open Product on a VM, nginx is used as a reverse proxy. A number of headers
are set in the virtual host:

``Referrer-Policy: "same-origin";``
    the ``HTTP_REFERER`` header is sent only to Open Product pages

``X-XSS-Protection: "1; mode=block";``
    note that this is not honored by most browsers anymore, but it doesn't hurt to
    include it

``Content-Security-Policy``
    opt-in, configure the deployment playbook accordingly

``Feature-Policy: "autoplay 'none'; camera 'none'" always;``
    there's no need for these :-)

Open Product settings
-----------------------

``X-Frame-Options`` is set to ``DENY``
    no (i)frames are allowed at all