You'll find in tiki-admin.php?page=security
The stronger settings are activated by default in new installs of Tiki25+. For previous versions, and if upgrading from <=24 to =>25, you need to activate manually. We chose not to make this automatic because these higher security measures can cause some side-effects on highly customized Tiki instances.
|Introduced in Tiki version
|HTTP header X-Frame-Options
| The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a
|HTTP Header X-XSS-Protection
|The X-XSS-Protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers
|HTTP Header X-Content-Type-Options
|The X-Content-Type-Options header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.
|HTTP Header Content-Security-Policy
|The Content-Security-Policy header allows web site administrators to control resources the user agent is allowed to load for a given page.
|HTTP Header Strict-Transport-Security
|The Strict-Transport-Security header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
|HTTP Header Public-Key-Pins
|The Public-Key-Pins header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it.