From 695239681bd5a5e5e87571397409b09d5a2ea7be Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Sun, 5 Jun 2022 21:15:22 -0700 Subject: [PATCH] Drop x-dns-prefetch-control header Non-standard header of dubious merit, since my site shouldn't do prefetching in the first place. --- content/privacy.gmi | 2 -- content/privacy.md | 2 -- 2 files changed, 4 deletions(-) diff --git a/content/privacy.gmi b/content/privacy.gmi index 925113d..cdad3d5 100644 --- a/content/privacy.gmi +++ b/content/privacy.gmi @@ -81,8 +81,6 @@ By default, web browsers may share arbitrary information with a server through H By default, web browsers can share near-arbitrary identifying data with a server by executing near-arbitrary JavaScript, or store this information for future transmission. I have disabled this behavior with a "Content-Security-Policy" HTTP header that forbids script loading ("script-src: none"), script execution ("sandbox"), and making connections for any purpose other than downloading a page a user navigated to ("connect-src"). -By default, web browsers may "pre-fetch" DNS queries for links on a page, potentially leaking information to third parties without a user's consent; I have disabled this behavior with the "X-DNS-Prefetch-Control" header. This header is respected by Chromium, Firefox, and Chromium derivatives (e.g. Google Chrome, Microsoft Edge). - By default, user agents using HTTPS may contact a certificate authority to check the revocation status of an TLS certificate. I have disabled and replaced this behavior by including an "OCSP Must-Staple" directive in the TLS certificates used by my Web servers. By default, user agents using HTTP or HTTPS may share a "referring" location with the destination website when following a link. I have disabled this by sending a "Referrer-Policy: no-referrer" header. diff --git a/content/privacy.md b/content/privacy.md index d7717da..39a106b 100644 --- a/content/privacy.md +++ b/content/privacy.md @@ -87,8 +87,6 @@ By default, web browsers may share arbitrary information with a server through H By default, web browsers can share near-arbitrary identifying data with a server by executing near-arbitrary JavaScript, or store this information for future transmission. I have disabled this behavior with a `Content-Security-Policy` HTTP header that forbids script loading (`script-src: none`), script execution (`sandbox`), and making connections for any purpose other than downloading a page a user navigated to (`connect-src`). -By default, web browsers may "pre-fetch" DNS queries for links on a page, potentially leaking information to third parties without a user's consent; I have disabled this behavior with the X-DNS-Prefetch-Control header. This header is respected by Chromium, Firefox, and Chromium derivatives (e.g. Google Chrome, Microsoft Edge). - By default, user agents using HTTPS may contact a certificate authority to check the revocation status of an TLS certificate. I have disabled and replaced this behavior by including an "OCSP Must-Staple" directive in the TLS certificates used by my Web servers. By default, user agents using HTTP or HTTPS may share a "referring" location with the destination website when following a link. I have disabled this by sending a `Referrer-Policy: no-referrer` header.