Is something your website can do and has included in the spectrum is hpkp (my blog) which is generally considered a nightmare and broken but other content security things are needed by some web things to work..
As kind of tls related i decided to make the zoo compatible with the more common csp’s unused here in the zoo. There are easy headers like hsts, x-frame*, set-cookie, xss and hard ones csp is hard. I was missing a couple and thought why not.
However csp seems to allow stuff but is quite tricky to figure out the format which goes
<set header> default-src ‘self’ data: hostname; script-src * data: hostname style-src data: hostname
Chrome browser is helpful here for diagnosing stuff, although i never bothered to look at firefox’s tools.
I had to use a wildcard with our policy on the hostnane but things eventually worked.
hkpk remains something i wont touch with a bargepole for if Symantec can issue bad ev [the green ones] unauthorised then the danger becomes clear to all.