Add per env headers

flake.nix

@@ -28,6 +28,7 @@
               ${optionalString (!prod) "BASE_URL=https://${rev}--mat-services.netlify.app"}
               zola build --drafts ${optionalString (!prod) "--base-url $BASE_URL"}
               # zola's ignored_content setting doesn't work in static/
+              cp headers/${if prod then "production" else "staging"} public/_headers
               rm -rf public/image/_favicon.svg
             '';
         in

headers/production

@@ -0,0 +1,24 @@
+# disable FLoC tracking
+Permissions-Policy: interest-cohort=()
+# enable HSTS
+Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+# disable clients from sniffing the media type
+X-Content-Type-Options: nosniff
+# clickjacking protection
+X-Frame-Options: DENY
+# keep referrer data off of HTTP connections
+Referrer-Policy: no-referrer
+# content security policy
+# style-src 'unsafe-inline': syntax highlighting in codefences
+# sandbox allow-popups: enable target="_blank" links to open in new tabs
+Content-Security-Policy: default-src 'none';
+Content-Security-Policy: img-src 'self' https://mat.services https://stats.mat.services;
+Content-Security-Policy: style-src 'self' https://mat.services 'unsafe-inline';
+Content-Security-Policy: font-src 'self' https://mat.services;
+Content-Security-Policy: script-src 'self' https://mat.services https://stats.mat.services;
+Content-Security-Policy: form-action 'none';
+Content-Security-Policy: frame-ancestors 'none';
+Content-Security-Policy: base-uri 'none';
+Content-Security-Policy: upgrade-insecure-requests;
+Content-Security-Policy: sandbox allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox;
+'''

headers/staging

@@ -0,0 +1,6 @@
+/*
+  Permissions-Policy: interest-cohort=()
+  X-Content-Type-Options: nosniff
+  X-Frame-Options: DENY
+  Referrer-Policy: no-referrer
+  Content-Security-Policy: default-src *;

netlify.toml

@@ -7,55 +7,7 @@
   publish = "public/"
   port = 1111
 
-[context.production]
-  [[redirects]]
-    from = "https://mat-services.netlify.app/*"
-    to = "https://mat.services/:splat"
-    force = true
-
-  [[headers]]
-    for = "/*"
-
-    [headers.values]
-      # disable FLoC tracking
-      Permissions-Policy = "interest-cohort=()"
-      # enable HSTS
-      Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
-      # disable clients from sniffing the media type
-      X-Content-Type-Options = "nosniff"
-      # clickjacking protection
-      X-Frame-Options = "DENY"
-      # keep referrer data off of HTTP connections
-      Referrer-Policy = "no-referrer"
-      # content security policy
-      # style-src 'unsafe-inline': syntax highlighting in codefences
-      # sandbox allow-popups: enable target="_blank" links to open in new tabs
-      Content-Security-Policy = '''
-      default-src 'none';
-      img-src 'self' https://mat.services https://stats.mat.services;
-      style-src 'self' https://mat.services 'unsafe-inline';
-      font-src 'self' https://mat.services;
-      script-src 'self' https://mat.services https://stats.mat.services;
-      form-action 'none';
-      frame-ancestors 'none';
-      base-uri 'none';
-      upgrade-insecure-requests;
-      sandbox
-        allow-same-origin
-        allow-scripts
-        allow-popups 
-        allow-popups-to-escape-sandbox
-      '''
-
-[context.deploy-preview]
-  [[headers]]
-      for = "/*"
-
-      [headers.values]
-        Permissions-Policy = "interest-cohort=()"
-        Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
-        X-Content-Type-Options = "nosniff"
-        X-Frame-Options = "DENY"
-        Referrer-Policy = "no-referrer"
-        Content-Security-Policy = "default-src *;"
-
+[[redirects]]
+  from = "https://mat-services.netlify.app/*"
+  to = "https://mat.services/:splat"
+  force = true