-
Notifications
You must be signed in to change notification settings - Fork 11
/
netlify.toml
121 lines (98 loc) · 3.55 KB
/
netlify.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
[build]
base = ""
publish = "_site/"
# I test my security headers with https://securityheaders.com/
[[headers]]
for = "/*"
[headers.values]
# https://scotthelme.co.uk/hardening-your-http-response-headers/#content-security-policy
#
# - youtube-nocookie.com is used for YouTube embeds
# - analytics.alexwlchan.net is used for my tracking pixel
#
content-security-policy = """\
default-src 'self' 'unsafe-inline' \
https://youtube-nocookie.com https://www.youtube-nocookie.com; \
script-src 'self' 'unsafe-inline'; \
connect-src https://analytics.alexwlchan.net; \
img-src 'self' 'unsafe-inline' data: \
"""
# https://scotthelme.co.uk/a-new-security-header-feature-policy/
# https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
permissions-policy = """\
geolocation=(), \
midi=(), \
notifications=(), \
push=(), \
sync-xhr=(), \
microphone=(), \
camera=(), \
magnetometer=(), \
gyroscope=(), \
vibrate=(),
payment=() \
"""
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
referrer-policy = "no-referrer-when-downgrade"
# This header tells browsers to always use HTTPS for the site.
#
# See https://scotthelme.co.uk/hardening-your-http-response-headers/#strict-transport-security
strict-transport-security = "max-age=31536000; includeSubDomains"
# This headers tells browsers that our content can't be loaded in frames.
#
# See https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
x-content-type-options = "nosniff"
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
x-frame-options = "DENY"
# https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
x-xss-protection = "1; mode=block"
[[headers]]
for = "/2019/triangular-coordinates-in-svg/"
[headers.values]
# https://scotthelme.co.uk/hardening-your-http-response-headers/#content-security-policy
#
# These are specific overrides to allow MathJax to load on one page
# where I'm using it. I don't allow it on the broader site because
# it's unnecessary and gets warnings on security header checks.
content-security-policy = """\
default-src 'self' 'unsafe-inline' \
script-src 'self' 'unsafe-inline' \
https://polyfill.io \
https://cdn.jsdelivr.net \
'unsafe-eval'; \
font-src \
https://polyfill.io \
https://cdn.jsdelivr.net; \
connect-src https://analytics.alexwlchan.net; \
img-src 'self' 'unsafe-inline' data: \
"""
# I can set long-lived caches on all these static assets because I treat
# most files as immutable by filename -- if I modify a file, I'll upload a new
# file with a different name, so it won't be a cache hit.
#
# The one exception is CSS files, but I cache-bust those by passing a query parameter
# that includes the hash of my CSS source.
[[headers]]
for = "/files/*"
[headers.values]
cache-control = "public, max-age=31536000"
[[headers]]
for = "/images/*"
[headers.values]
cache-control = "public, max-age=31536000"
[[headers]]
for = "/favicons/*"
[headers.values]
cache-control = "public, max-age=31536000"
[[headers]]
for = "/static/*"
[headers.values]
cache-control = "public, max-age=31536000"
[[headers]]
for = "/headers/*"
[headers.values]
cache-control = "public, max-age=31536000"
[[headers]]
for = "/theme/*"
[headers.values]
cache-control = "public, max-age=31536000"