diff --git a/layouts/index.headers b/layouts/index.headers index c8cb4bc5..c1be2bf2 100644 --- a/layouts/index.headers +++ b/layouts/index.headers @@ -5,7 +5,6 @@ Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff X-Frame-Options: sameorigin - X-XSS-Protection: 1; mode=block # Super long cache for web fonts (one year) /fonts/* diff --git a/netlify.toml b/netlify.toml index 705433ae..d9c5c466 100644 --- a/netlify.toml +++ b/netlify.toml @@ -32,6 +32,18 @@ # The most important headers and redirects are specified in the _headers and # _redirects files generated by Hugo. These are additional custom rules. +# Custom security headers +[[headers]] + for = "/*" + [headers.values] + # Report-To = "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}" + # NEL = "{\"report_to\":\"default\",\"max_age\":604800}" + # Content-Security-Policy = "default-src 'none'; script-src 'self' platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com buttons.github.io assets.codepen.io production-assets.codepen.io; style-src 'self' 'unsafe-inline' fonts.googleapis.com platform.twitter.com assets-cdn.github.com github.githubassets.com; img-src 'self' data: https:; font-src 'self' fonts.gstatic.com; form-action 'self'; child-src 'self' www.youtube.com www.youtube-nocookie.com twitter.com syndication.twitter.com platform.twitter.com codepen.io cdpn.io; frame-src 'self'; frame-ancestors 'self'; base-uri 'none'; object-src 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com syndication.twitter.com api.github.com; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default" + # Feature-Policy = "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'" + X-XSS-Protection = "1; mode=block" + # X-XSS-Protection = "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce" + X-Got-Milk = "always" + # PGP file: open in browser, download correctly [[headers]] for = "/jarvis.asc"