Important: #100032 - Add HTTP security headers for backend by default

See forge#100032


The following HTTP security headers are now added by default for the TYPO3 backend:

  • Strict-Transport-Security: max-age=31536000 (only if $GLOBALS[TYPO3_CONF_VARS][BE][lockSSL] is active)
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin

The default HTTP security headers are configured globally in $GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'] and include a unique array key, so it is possible to individually unset/remove unwanted headers.