I’ve seen this article: Neatly bypassing CSP. And it appears that the error pages served by haproxy can be used to bypass some Content-Security-Policy rules.
It looks like it should be possible to customize the error from haproxy with the errorfile command, but it’s tedious to do that for each HTTP status code. Is it possible to add an HTTP header for all the error pages served by haproxy without having to edit the error for each status code?
And maybe the haproxy developpers should consider having
X-Frame-Options: DENY by default for the error pages. I’m not sure, but it looks like a good default.