CSP HSTS et al. regarding nodebb srv security

Bejan

Currently, I'm deploying with the following security config. Working fine so far, I'd like to get some community feedback.

add_header Content-Security-Policy "default-src 'none'; \
connect-src 'self' https://forum.myforum.com/ wss://forum.myforum.com/ https://bootswatch.com/ https://api.github.com/; \
script-src 'self' 'unsafe-inline https://forum.myforum.com/ https://storage.googleapis.com/; \
img-src 'self' data: https://forum.myforum.com/ https://bootswatch.com/ https://i.imgur.com/ https://www.gravatar.com/; \
style-src 'self' 'unsafe-inline' https://forum.myforum.com/ https://fonts.googleapis.com/ https://maxcdn.bootstrapcdn.com/; \
font-src https://forum.myforum.com/ https://maxcdn.bootstrapcdn.com/bootswatch/latest/fonts/ chrome-extension://* 
 https://fonts.gstatic.com/; \
frame-ancestors 'self'; \
object-src 'none';
manifest-src https://forum.myforum.com/;";
  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";×¬                                              
  add_header 'Referrer-Policy' 'same-origin';¬                                                                                        
  add_header X-Content-Type-Options nosniff;¬                                                                                         
  add_header X-XSS-Protection "1; mode=block";¬                                                                                       
  add_header X-Download-Options noopen;¬                                                                                              
  add_header X-Permitted-Cross-Domain-Policies none;¬                                                                                 
  add_header X-Frame-Options "SAMEORIGIN";

Helpful website for testing was https://observatory.mozilla.org/

edit: add manifest-src to enable webmanifest loading