strapi/examples/getstarted/config/environments/production/security.json

{
  "csrf": {
    "enabled": false,
    "key": "_csrf",
    "secret": "_csrfSecret"
  },
  "csp": {
    "enabled": true,
    "policy": [
      {
        "img-src": "'self' http:"
      },
      "block-all-mixed-content"
    ]
  },
  "p3p": {
    "enabled": true,
    "value": ""
  },
  "hsts": {
    "enabled": true,
    "maxAge": 31536000,
    "includeSubDomains": true
  },
  "xframe": {
    "enabled": true,
    "value": "SAMEORIGIN"
  },
  "xss": {
    "enabled": true,
    "mode": "block"
  },
  "cors": {
    "enabled": true
  },
  "ip": {
    "enabled": false,
    "whiteList": [],
    "blackList": []
  }
}