fix: add missing security headers (#307)

* fix: add missing security headers * fix: set security headers on any resources * fix: invalid rule * fix: add netlify CDN cloudfront * fix: set crossorigin attribute in webpack settings
Th3S4mur41 · Oct 5, 2021 · 2356658 · 2356658
1 parent 073c400
commit 2356658
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/public/_headers b/public/_headers
@@ -1,9 +1,9 @@
 /*
+	Content-Security-Policy: default-src 'self' cloudfront.net *.cloudfront.net;
 	Referrer-Policy: no-referrer-when-downgrade
 	X-Content-Type-Options: nosniff
-
-/*.html
-	Content-Security-Policy: default-src 'self'
+	X-Frame-Options: DENY
+  X-XSS-Protection: 1; mode=block
 
 /*.js
 	Cache-Control: public, immutable, max-age=31536000

diff --git a/webpack.common.js b/webpack.common.js
@@ -13,7 +13,8 @@ module.exports = {
 	output: {
 		filename: 'app.[hash].js',
 		path: path.resolve(__dirname, 'dist'),
-		assetModuleFilename: 'assets/[hash][ext]'
+		assetModuleFilename: 'assets/[hash][ext]',
+		crossOriginLoading: 'anonymous'
 	},
 	resolve: {
 		alias: {