draft security headers

layouts/index.headers

@@ -5,7 +5,6 @@
   Referrer-Policy: strict-origin-when-cross-origin
   X-Content-Type-Options: nosniff
   X-Frame-Options: sameorigin
-  X-XSS-Protection: 1; mode=block
 
 # Super long cache for web fonts (one year)
 /fonts/*

netlify.toml

@@ -32,6 +32,18 @@
 # The most important headers and redirects are specified in the _headers and
 # _redirects files generated by Hugo. These are additional custom rules.
 
+# Custom security headers
+[[headers]]
+  for = "/*"
+  [headers.values]
+    # Report-To = "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}"
+    # NEL = "{\"report_to\":\"default\",\"max_age\":604800}"
+    # Content-Security-Policy = "default-src 'none'; script-src 'self' platform.twitter.com syndication.twitter.com cdn.syndication.twimg.com buttons.github.io assets.codepen.io production-assets.codepen.io; style-src 'self' 'unsafe-inline' fonts.googleapis.com platform.twitter.com assets-cdn.github.com github.githubassets.com; img-src 'self' data: https:; font-src 'self' fonts.gstatic.com; form-action 'self'; child-src 'self' www.youtube.com www.youtube-nocookie.com twitter.com syndication.twitter.com platform.twitter.com codepen.io cdpn.io; frame-src 'self'; frame-ancestors 'self'; base-uri 'none'; object-src 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com syndication.twitter.com api.github.com; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default"
+    # Feature-Policy = "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; sync-xhr 'none'; payment 'none'; usb 'none'; vr 'none'"
+    X-XSS-Protection = "1; mode=block"
+    # X-XSS-Protection = "1; mode=block; report=https://jarvis.report-uri.com/r/d/xss/enforce"
+    X-Got-Milk = "always"
+
 # PGP file: open in browser, download correctly
 [[headers]]
   for = "/jarvis.asc"