Security Headers
The IDP enables strict security headers via Helmet (apps/idp/src/main.ts).
Headers
| Header | Value |
|---|---|
| HSTS | max-age=31536000; includeSubDomains; preload |
| Referrer-Policy | strict-origin-when-cross-origin |
| X-Content-Type-Options | nosniff |
| X-Frame-Options | deny (via frameguard) |
| COOP/CORP | Defaults |
Content Security Policy
default-src 'self';
script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com;
style-src 'self' 'unsafe-inline' https:;
img-src 'self' data: https:;
frame-ancestors 'none';
base-uri 'self';
form-action 'self'
Customization
Tune CSP per tenant if additional third-parties are required. Modify the Helmet configuration in apps/idp/src/main.ts.