Please add support for custom HTTP security headers (HSTS, CSP, X-Frame-Options, Permissions-Policy) for hosted apps. This is critical for regulatory compliance (RGPD, NIS2) and affects compliance scanner scores significantly.
Hey @Jibril_Bikai , thanks for raising this. Two of the four are already live:
HSTS and X-Frame-Options ship as opt-in toggles in your app under Settings → Security Headers. You can set the HSTS duration in months, toggle includeSubDomains and preload, and pick DENY or SAMEORIGIN for framing.
CSP can be set today via a tag inside your app’s HTML, which compliance scanners do detect!
That being said,
Permissions-Policy has no meta-tag fallback, so it needs platform support. I’ll add it to our roadmap!