Add per env headers
continuous-integration/drone/push Build is passing Details
continuous-integration/drone Build is passing Details

pull/1/head
mat ess 2022-10-20 21:01:11 -04:00
parent 1cf880cec7
commit 0a03c3bb4c
4 changed files with 35 additions and 52 deletions

View File

@ -28,6 +28,7 @@
${optionalString (!prod) "BASE_URL=https://${rev}--mat-services.netlify.app"}
zola build --drafts ${optionalString (!prod) "--base-url $BASE_URL"}
# zola's ignored_content setting doesn't work in static/
cp headers/${if prod then "production" else "staging"} public/_headers
rm -rf public/image/_favicon.svg
'';
in

24
headers/production Normal file
View File

@ -0,0 +1,24 @@
# disable FLoC tracking
Permissions-Policy: interest-cohort=()
# enable HSTS
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
# disable clients from sniffing the media type
X-Content-Type-Options: nosniff
# clickjacking protection
X-Frame-Options: DENY
# keep referrer data off of HTTP connections
Referrer-Policy: no-referrer
# content security policy
# style-src 'unsafe-inline': syntax highlighting in codefences
# sandbox allow-popups: enable target="_blank" links to open in new tabs
Content-Security-Policy: default-src 'none';
Content-Security-Policy: img-src 'self' https://mat.services https://stats.mat.services;
Content-Security-Policy: style-src 'self' https://mat.services 'unsafe-inline';
Content-Security-Policy: font-src 'self' https://mat.services;
Content-Security-Policy: script-src 'self' https://mat.services https://stats.mat.services;
Content-Security-Policy: form-action 'none';
Content-Security-Policy: frame-ancestors 'none';
Content-Security-Policy: base-uri 'none';
Content-Security-Policy: upgrade-insecure-requests;
Content-Security-Policy: sandbox allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox;
'''

6
headers/staging Normal file
View File

@ -0,0 +1,6 @@
/*
Permissions-Policy: interest-cohort=()
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: no-referrer
Content-Security-Policy: default-src *;

View File

@ -7,55 +7,7 @@
publish = "public/"
port = 1111
[context.production]
[[redirects]]
from = "https://mat-services.netlify.app/*"
to = "https://mat.services/:splat"
force = true
[[headers]]
for = "/*"
[headers.values]
# disable FLoC tracking
Permissions-Policy = "interest-cohort=()"
# enable HSTS
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options = "nosniff"
# clickjacking protection
X-Frame-Options = "DENY"
# keep referrer data off of HTTP connections
Referrer-Policy = "no-referrer"
# content security policy
# style-src 'unsafe-inline': syntax highlighting in codefences
# sandbox allow-popups: enable target="_blank" links to open in new tabs
Content-Security-Policy = '''
default-src 'none';
img-src 'self' https://mat.services https://stats.mat.services;
style-src 'self' https://mat.services 'unsafe-inline';
font-src 'self' https://mat.services;
script-src 'self' https://mat.services https://stats.mat.services;
form-action 'none';
frame-ancestors 'none';
base-uri 'none';
upgrade-insecure-requests;
sandbox
allow-same-origin
allow-scripts
allow-popups
allow-popups-to-escape-sandbox
'''
[context.deploy-preview]
[[headers]]
for = "/*"
[headers.values]
Permissions-Policy = "interest-cohort=()"
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "DENY"
Referrer-Policy = "no-referrer"
Content-Security-Policy = "default-src *;"