one of our users had the site reverse proxied. it broke after the
5.1 cipher change and they nailed it down to using this cipher.
https://security.stackexchange.com/questions/72926/is-tls-ecdhe-rsa-with-aes-128-cbc-sha256-a-safe-cipher-suite-to-use
says this is safe
The following prints the cipher suite:
log_format combined2 '$remote_addr - [$time_local] '
'$ssl_protocol/$ssl_cipher '
'"$request" $status $body_bytes_sent $request_time '
'"$http_referer" "$host" "$http_user_agent"';
It seems we cannot separate frame ancestors from CSP because the hide
header just hides everything and not a specific resource. This means
that the user has to set or unset the full policy whole sale.
