Finding from security review:
- Given that push-notifications will be a private, internal, RESTful service accessed only by Wikimedia production infrastructure, security headers aren't quite as much of a concern here. But it likely wouldn't hurt to tighten the defaults. media-src, img-src and style-src could all be set to 'none', I believe. I'd also recommend adding base-uri: 'self' to the content-security-policy header, and possibly removing x-webkit-csp and x-content-security-policy since those headers are deprecated. It also wouldn't be a bad idea to enable hsts if my assumption above that this service will be forced over TLS is correct. And finally setting access-control-allow-origin to whatever the internal hostname of the service ends up being. Risk: low.