strapi/examples/getstarted/config/environments/production/security.json

{
  "csrf": {
    "enabled": false,
    "key": "_csrf",
    "secret": "_csrfSecret"
  },
  "csp": {
    "enabled": true,
    "policy": [{
        "img-src": "'self' http:"
      },
      "block-all-mixed-content"
    ]
  },
  "p3p": {
    "enabled": true,
    "value": ""
  },
  "hsts": {
    "enabled": true,
    "maxAge": 31536000,
    "includeSubDomains": true
  },
  "xframe": {
    "enabled": true,
    "value": "SAMEORIGIN"
  },
  "xss": {
    "enabled": true,
    "mode": "block"
  },
  "cors": {
    "enabled": true,
    "origin": "*",
    "expose": [
      "WWW-Authenticate",
      "Server-Authorization"
    ],
    "maxAge": 31536000,
    "credentials": true,
    "methods": [
      "GET",
      "POST",
      "PUT",
      "PATCH",
      "DELETE",
      "OPTIONS",
      "HEAD"
    ],
    "headers": [
      "Content-Type",
      "Authorization",
      "X-Frame-Options",
      "Origin"
    ]
  },
  "ip": {
    "enabled": false,
    "whiteList": [],
    "blackList": []
  }
}