Confirm
529
edits
Changes
no edit summary
* [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**)
* [ ] Must have a CSP with (**APP-CSP**)
* [ ] a report-uri pointing to the service 's own `/__cspreport__` endpoint * [ ] frameif default-options set to denysrc is not `self`, child-src should be `none` or only allow specific origins
* [ ] no use of unsafe-inline or unsafe-eval
* [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**)
