You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a site security issue; with Digital Gardens published as they are, there are no included security headers, and cross-site scripting is a real possibility.
In Cloudflare, it's possible to manually add headers by modifying the .eleventy.js file to include eleventyConfig.addPassthroughCopy("src/site/_headers") and adding the file /src/site/_headers with the headers you want to add.
Vercel has some documentation regarding headers and adding them to projects, but I don't use Vercel, so I haven't gone through their process.
I'm not sure if there's a clean way to add headers easily to any deployment, but it would be great if the default option was secure.
As a side note, I wasn't able to get CSP to work, I believe due to the amount of on-page scripting, but I was able to get the other headers in place without causing any apparent conflicts.
I'm happy to help test or troubleshoot!
The text was updated successfully, but these errors were encountered:
This is a site security issue; with Digital Gardens published as they are, there are no included security headers, and cross-site scripting is a real possibility.
As it is, sites like https://securityheaders.com and https://pentest-tools.com reveal the (admittedly low risk) lack of certain headers that would reduce the risk of phishing or XSS.
In Cloudflare, it's possible to manually add headers by modifying the
.eleventy.js
file to includeeleventyConfig.addPassthroughCopy("src/site/_headers")
and adding the file/src/site/_headers
with the headers you want to add.Vercel has some documentation regarding headers and adding them to projects, but I don't use Vercel, so I haven't gone through their process.
https://vercel.com/docs/edge-network/headers
https://vercel.com/docs/projects/project-configuration#headers
I'm not sure if there's a clean way to add headers easily to any deployment, but it would be great if the default option was secure.
As a side note, I wasn't able to get CSP to work, I believe due to the amount of on-page scripting, but I was able to get the other headers in place without causing any apparent conflicts.
I'm happy to help test or troubleshoot!
The text was updated successfully, but these errors were encountered: