Most important security feature to enable via headers is Trusted Types.
Trusted Types disallows using APIs dynamically evaluating or loading JavaScript. This largely prevents client-side remote code execution vulnerabilities (XSS).
Static site design + strong CSP does the rest.
Conversation
Possible to make Trusted Types policies to trust sanitizers. It should be avoided. Stick to proper APIs for DOM manipulation, etc.
If you avoid dynamic HTML/JS parsing/loading you can use trusted-types 'none' to disallow this. Same concept as disallowing 'unsafe' blocks in Rust.
2
5
There's a great article from Microsoft on how Edge redid the internal browser interfaces to use Trusted Types with a 'none' policy: microsoftedge.github.io/edgevr/posts/e. This is one of the security advantages Edge has over Chrome. They're doing genuinely useful downstream Chromium hardening.
1
6
18
It's very unfortunate for Firefox and Safari users that they're missing support for Trusted Types. It has the most impact of any recent browser security feature.
It's a very well designed feature. Keep in mind TT policies are a legacy code compatibility feature making it weaker.
1
11
It's a very simple feature if you don't need legacy code compatibility. There's hardly anything to learn. I already told you everything you need to know here. It stops you doing dynamic code evaluation / loading. It doesn't interfere with DOM manipulation via structured APIs.
1
7
Stick this in your Content-Security-Policy:
require-trusted-types-for 'script'; trusted-types 'none'
If you followed best practices and didn't dynamically load/parse HTML/JavaScript, you don't need any changes to your code. Unfortunately, many libraries are badly written...
1
1
10
I already tried to follow the rules that enforces as a best practice but that's a whole lot different than actually enforcing it. It's also sometimes surprising to find out that a seemingly benign library is doing something horrific with dynamically loaded/generated JavaScript...
Replying to
Sometimes it also just doesn't occur to you that what you're doing is dynamic code loading/execution as opposed to declaring it all in the document.
There are assorted poorly designed JS APIs pushing you to use dynamically loaded code when you really don't need it like workers.
1
10