Add per env headers
parent
1cf880cec7
commit
0a03c3bb4c
|
@ -28,6 +28,7 @@
|
||||||
${optionalString (!prod) "BASE_URL=https://${rev}--mat-services.netlify.app"}
|
${optionalString (!prod) "BASE_URL=https://${rev}--mat-services.netlify.app"}
|
||||||
zola build --drafts ${optionalString (!prod) "--base-url $BASE_URL"}
|
zola build --drafts ${optionalString (!prod) "--base-url $BASE_URL"}
|
||||||
# zola's ignored_content setting doesn't work in static/
|
# zola's ignored_content setting doesn't work in static/
|
||||||
|
cp headers/${if prod then "production" else "staging"} public/_headers
|
||||||
rm -rf public/image/_favicon.svg
|
rm -rf public/image/_favicon.svg
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
# disable FLoC tracking
|
||||||
|
Permissions-Policy: interest-cohort=()
|
||||||
|
# enable HSTS
|
||||||
|
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
|
||||||
|
# disable clients from sniffing the media type
|
||||||
|
X-Content-Type-Options: nosniff
|
||||||
|
# clickjacking protection
|
||||||
|
X-Frame-Options: DENY
|
||||||
|
# keep referrer data off of HTTP connections
|
||||||
|
Referrer-Policy: no-referrer
|
||||||
|
# content security policy
|
||||||
|
# style-src 'unsafe-inline': syntax highlighting in codefences
|
||||||
|
# sandbox allow-popups: enable target="_blank" links to open in new tabs
|
||||||
|
Content-Security-Policy: default-src 'none';
|
||||||
|
Content-Security-Policy: img-src 'self' https://mat.services https://stats.mat.services;
|
||||||
|
Content-Security-Policy: style-src 'self' https://mat.services 'unsafe-inline';
|
||||||
|
Content-Security-Policy: font-src 'self' https://mat.services;
|
||||||
|
Content-Security-Policy: script-src 'self' https://mat.services https://stats.mat.services;
|
||||||
|
Content-Security-Policy: form-action 'none';
|
||||||
|
Content-Security-Policy: frame-ancestors 'none';
|
||||||
|
Content-Security-Policy: base-uri 'none';
|
||||||
|
Content-Security-Policy: upgrade-insecure-requests;
|
||||||
|
Content-Security-Policy: sandbox allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox;
|
||||||
|
'''
|
|
@ -0,0 +1,6 @@
|
||||||
|
/*
|
||||||
|
Permissions-Policy: interest-cohort=()
|
||||||
|
X-Content-Type-Options: nosniff
|
||||||
|
X-Frame-Options: DENY
|
||||||
|
Referrer-Policy: no-referrer
|
||||||
|
Content-Security-Policy: default-src *;
|
50
netlify.toml
50
netlify.toml
|
@ -7,55 +7,7 @@
|
||||||
publish = "public/"
|
publish = "public/"
|
||||||
port = 1111
|
port = 1111
|
||||||
|
|
||||||
[context.production]
|
[[redirects]]
|
||||||
[[redirects]]
|
|
||||||
from = "https://mat-services.netlify.app/*"
|
from = "https://mat-services.netlify.app/*"
|
||||||
to = "https://mat.services/:splat"
|
to = "https://mat.services/:splat"
|
||||||
force = true
|
force = true
|
||||||
|
|
||||||
[[headers]]
|
|
||||||
for = "/*"
|
|
||||||
|
|
||||||
[headers.values]
|
|
||||||
# disable FLoC tracking
|
|
||||||
Permissions-Policy = "interest-cohort=()"
|
|
||||||
# enable HSTS
|
|
||||||
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
|
|
||||||
# disable clients from sniffing the media type
|
|
||||||
X-Content-Type-Options = "nosniff"
|
|
||||||
# clickjacking protection
|
|
||||||
X-Frame-Options = "DENY"
|
|
||||||
# keep referrer data off of HTTP connections
|
|
||||||
Referrer-Policy = "no-referrer"
|
|
||||||
# content security policy
|
|
||||||
# style-src 'unsafe-inline': syntax highlighting in codefences
|
|
||||||
# sandbox allow-popups: enable target="_blank" links to open in new tabs
|
|
||||||
Content-Security-Policy = '''
|
|
||||||
default-src 'none';
|
|
||||||
img-src 'self' https://mat.services https://stats.mat.services;
|
|
||||||
style-src 'self' https://mat.services 'unsafe-inline';
|
|
||||||
font-src 'self' https://mat.services;
|
|
||||||
script-src 'self' https://mat.services https://stats.mat.services;
|
|
||||||
form-action 'none';
|
|
||||||
frame-ancestors 'none';
|
|
||||||
base-uri 'none';
|
|
||||||
upgrade-insecure-requests;
|
|
||||||
sandbox
|
|
||||||
allow-same-origin
|
|
||||||
allow-scripts
|
|
||||||
allow-popups
|
|
||||||
allow-popups-to-escape-sandbox
|
|
||||||
'''
|
|
||||||
|
|
||||||
[context.deploy-preview]
|
|
||||||
[[headers]]
|
|
||||||
for = "/*"
|
|
||||||
|
|
||||||
[headers.values]
|
|
||||||
Permissions-Policy = "interest-cohort=()"
|
|
||||||
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
|
|
||||||
X-Content-Type-Options = "nosniff"
|
|
||||||
X-Frame-Options = "DENY"
|
|
||||||
Referrer-Policy = "no-referrer"
|
|
||||||
Content-Security-Policy = "default-src *;"
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue