From 0a03c3bb4c3e076c9d9ce05d3be73b89f31a0fe6 Mon Sep 17 00:00:00 2001
From: mat ess <mat@mat.services>
Date: Thu, 20 Oct 2022 21:01:11 -0400
Subject: [PATCH] Add per env headers

---
 flake.nix          |  1 +
 headers/production | 24 ++++++++++++++++++++
 headers/staging    |  6 +++++
 netlify.toml       | 56 ++++------------------------------------------
 4 files changed, 35 insertions(+), 52 deletions(-)
 create mode 100644 headers/production
 create mode 100644 headers/staging

diff --git a/flake.nix b/flake.nix
index a25ca08..7bdf32d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -28,6 +28,7 @@
               ${optionalString (!prod) "BASE_URL=https://${rev}--mat-services.netlify.app"}
               zola build --drafts ${optionalString (!prod) "--base-url $BASE_URL"}
               # zola's ignored_content setting doesn't work in static/
+              cp headers/${if prod then "production" else "staging"} public/_headers
               rm -rf public/image/_favicon.svg
             '';
         in
diff --git a/headers/production b/headers/production
new file mode 100644
index 0000000..fce515f
--- /dev/null
+++ b/headers/production
@@ -0,0 +1,24 @@
+# disable FLoC tracking
+Permissions-Policy: interest-cohort=()
+# enable HSTS
+Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+# disable clients from sniffing the media type
+X-Content-Type-Options: nosniff
+# clickjacking protection
+X-Frame-Options: DENY
+# keep referrer data off of HTTP connections
+Referrer-Policy: no-referrer
+# content security policy
+# style-src 'unsafe-inline': syntax highlighting in codefences
+# sandbox allow-popups: enable target="_blank" links to open in new tabs
+Content-Security-Policy: default-src 'none';
+Content-Security-Policy: img-src 'self' https://mat.services https://stats.mat.services;
+Content-Security-Policy: style-src 'self' https://mat.services 'unsafe-inline';
+Content-Security-Policy: font-src 'self' https://mat.services;
+Content-Security-Policy: script-src 'self' https://mat.services https://stats.mat.services;
+Content-Security-Policy: form-action 'none';
+Content-Security-Policy: frame-ancestors 'none';
+Content-Security-Policy: base-uri 'none';
+Content-Security-Policy: upgrade-insecure-requests;
+Content-Security-Policy: sandbox allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox;
+'''
\ No newline at end of file
diff --git a/headers/staging b/headers/staging
new file mode 100644
index 0000000..3ed194d
--- /dev/null
+++ b/headers/staging
@@ -0,0 +1,6 @@
+/*
+  Permissions-Policy: interest-cohort=()
+  X-Content-Type-Options: nosniff
+  X-Frame-Options: DENY
+  Referrer-Policy: no-referrer
+  Content-Security-Policy: default-src *;
\ No newline at end of file
diff --git a/netlify.toml b/netlify.toml
index bcecf8b..69bc4f5 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -7,55 +7,7 @@
   publish = "public/"
   port = 1111
 
-[context.production]
-  [[redirects]]
-    from = "https://mat-services.netlify.app/*"
-    to = "https://mat.services/:splat"
-    force = true
-
-  [[headers]]
-    for = "/*"
-
-    [headers.values]
-      # disable FLoC tracking
-      Permissions-Policy = "interest-cohort=()"
-      # enable HSTS
-      Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
-      # disable clients from sniffing the media type
-      X-Content-Type-Options = "nosniff"
-      # clickjacking protection
-      X-Frame-Options = "DENY"
-      # keep referrer data off of HTTP connections
-      Referrer-Policy = "no-referrer"
-      # content security policy
-      # style-src 'unsafe-inline': syntax highlighting in codefences
-      # sandbox allow-popups: enable target="_blank" links to open in new tabs
-      Content-Security-Policy = '''
-      default-src 'none';
-      img-src 'self' https://mat.services https://stats.mat.services;
-      style-src 'self' https://mat.services 'unsafe-inline';
-      font-src 'self' https://mat.services;
-      script-src 'self' https://mat.services https://stats.mat.services;
-      form-action 'none';
-      frame-ancestors 'none';
-      base-uri 'none';
-      upgrade-insecure-requests;
-      sandbox
-        allow-same-origin
-        allow-scripts
-        allow-popups 
-        allow-popups-to-escape-sandbox
-      '''
-
-[context.deploy-preview]
-  [[headers]]
-      for = "/*"
-
-      [headers.values]
-        Permissions-Policy = "interest-cohort=()"
-        Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
-        X-Content-Type-Options = "nosniff"
-        X-Frame-Options = "DENY"
-        Referrer-Policy = "no-referrer"
-        Content-Security-Policy = "default-src *;"
-
+[[redirects]]
+  from = "https://mat-services.netlify.app/*"
+  to = "https://mat.services/:splat"
+  force = true