From 410ac8635f60c71d80c65b9a95a386a5e1d3f37e Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Jul 2026 05:04:59 +0000 Subject: [PATCH] docs: fix stale Permissions-Policy and CSP scoring criteria in README The "Headers Checked" table said Permissions-Policy scores on mere presence and didn't mention CSP's base-uri/bare-scheme checks, but rules.ts requires camera/microphone/geolocation to be restricted for full credit and separately checks base-uri and bare-scheme sources. Update the table to match the actual scoring logic so users aren't misled about how to reach a good grade. Co-Authored-By: Claude Sonnet 5 Claude-Session: https://claude.ai/code/session_01Tzhr2b5BycnZ2yf98aiLZe --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d85cb02..df2f720 100644 --- a/README.md +++ b/README.md @@ -121,11 +121,11 @@ interface HeaderFinding { | Header | Max Points | Key Checks | |---|---|---| | Strict-Transport-Security | 20 | max-age ≥ 1 year, includeSubDomains, preload | -| Content-Security-Policy | 30 | presence, no unsafe-inline/eval, no wildcards, form-action set | +| Content-Security-Policy | 30 | presence, no unsafe-inline/eval, no wildcard/bare-scheme sources, form-action set, base-uri set | | X-Frame-Options | 15 | DENY or SAMEORIGIN (or CSP frame-ancestors) | | X-Content-Type-Options | 10 | nosniff | | Referrer-Policy | 10 | strict values only | -| Permissions-Policy | 10 | presence | +| Permissions-Policy | 10 | camera, microphone, and geolocation restricted | | Cross-Origin Policies | 5 | COEP, COOP, CORP | ---