A custom headers map may also be given to be merged with defaults. It is recommended for custom header keys to be in lowercase, to avoid sending duplicate keys in a request. Additionally, responses with mixed-case headers served over HTTP/2 are not considered valid by common clients, resulting in dropped responses.
pipeline :browser do
...
plug :put_secure_browser_headers,
%{
"content-security-policy" =>
"frame-src 'self'; frame-ancestors 'none'"
}
end
etc.
I am currently using a plug,which puts response headers on incoming request from browser,
Is this the correct way to do it?
what is the correct way to set the security headers apart from CSP.