Add a more strict default

src/NetEscapades.AspNetCore.SecurityHeaders/HeaderPolicyCollectionExtensions.cs

@@ -35,7 +35,7 @@ public static HeaderPolicyCollection Copy(this IReadOnlyHeaderPolicyCollection p
     /// <summary>
     /// Add default headers in accordance with the most secure approach
     /// </summary>
-    /// <param name="policies">The <see cref="HeaderPolicyCollection" /> to add the deafult security header policies too</param>
+    /// <param name="policies">The <see cref="HeaderPolicyCollection" /> to add the default security header policies too</param>
     /// <returns>The <see cref="HeaderPolicyCollection" /> for method chaining</returns>
     public static HeaderPolicyCollection AddDefaultSecurityHeaders(this HeaderPolicyCollection policies)
     {
@@ -51,6 +51,9 @@ public static HeaderPolicyCollection AddDefaultSecurityHeaders(this HeaderPolicy
             builder.AddFrameAncestors().None();
         });
         policies.AddCrossOriginOpenerPolicy(x => x.SameOrigin());
+        policies.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp());
+        policies.AddCrossOriginResourcePolicy(builder => builder.SameOrigin());
+
         return policies;
     }
 
@@ -80,6 +83,12 @@ public static HeaderPolicyCollection AddDefaultApiSecurityHeaders(this HeaderPol
         // The following are generally not applicable, but still worth applying for safety
         policies.AddReferrerPolicyNoReferrer();
         policies.AddPermissionsPolicyWithDefaultSecureDirectives();
+
+        policies.AddReferrerPolicyStrictOriginWhenCrossOrigin();
+        policies.AddCrossOriginOpenerPolicy(builder => builder.SameOrigin());
+        policies.AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp());
+        policies.AddCrossOriginResourcePolicy(builder => builder.SameOrigin());
+
         return policies;
     }
 }