Security measures in Open Zaak
==============================

The following is a non-exhaustive list of configurations in Open Zaak to enhance
security.

nginx template considerations
-----------------------------

When deploying Open Zaak on a VM, nginx is used as a reverse proxy. A number of headers
are set in the virtual host:

``Referrer-Policy: "same-origin";``
    the ``HTTP_REFERER`` header is sent only to Open Zaak pages

``X-Content-Type-Options: "nosniff";``
    protects against user-uploaded content, which is relevant because of the Documents
    API and serving of that user content

``X-XSS-Protection: "1; mode=block";``
    note that this is not honored by most browsers anymore, but it doesn't hurt to
    include it

``Content-Security-Policy``
    opt-in

``Feature-Policy: "autoplay 'none'; camera 'none'" always;``
    there's no need for these :-)

Open Zaak settings
------------------

``X-Frame-Options`` is set to ``DENY``
    no (i)frames are allowed at all