-
Notifications
You must be signed in to change notification settings - Fork 3
/
netlify.toml
107 lines (100 loc) · 3.6 KB
/
netlify.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
[[redirects]]
from = "/*"
to = "/index.html"
status = 200
[[headers]]
# Define which paths this specific [[headers]] block will cover.
for = "/*"
[headers.values]
# X-Content-Type-Options controls whether browsers attempt to detect
# the content type, rather than relyihng on the Content-Type header.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
X-Content-Type-Options = "nosniff"
# Strict-Transport-Security to require HTTPS connections in supported
# browsers. These settings are required to be eligible for inclusion
# in the HSTS Preload list; see: https://hstspreload.org/
Strict-Transport-Security = """\
max-age=63072000; \
includeSubDomains; \
preload \
"""
# Content-Security-Policy to prevent XSS attacks.
#
# default-src
# 'self' - all resources from current origin are permitted by default
# connect-src
# 'self' - all connections to current origin are permitted
# font-src
# 'self' - all fonts from current origin are permitted
# frame-ancestors
# 'self' - allow embedding in current origin
# frame-src
# 'self' - allow embedding of current origin
# img-src
# 'self' - all images from current origin are permitted
# data: - images embedded inline are permitted
# https://picsum.photos and https://i.picsum.photos - placeholder images
# media-src
# 'none' - no audio or video files are permitted
# object-src
# 'none' - no legacy objects are allowed; see
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
# script-src
# 'self' - all resources from current origin are permitted
# style-src
# 'self' - all styles from current origin are permitted
# 'unsafe-inline' - Tailwind styles are injected inline
Content-Security-Policy = """\
default-src 'self'; \
connect-src 'self'; \
font-src 'self'; \
frame-ancestors 'self'; \
frame-src 'self'; \
img-src 'self' data: https://picsum.photos https://i.picsum.photos; \
media-src 'none'; \
object-src 'none'; \
script-src 'self'; \
style-src 'self' 'unsafe-inline' \
"""
# Referrer-Policy controls the Referer header in requests.
#
# same-origin allows analytics tools to understand user journeys.
Referrer-Policy = "same-origin"
# X-Permitted-Cross-Domain-Policies controls whether this site can be
# embedded into Flash applications or PDF documents.
X-Permitted-Cross-Domain-Policies = "none"
# Permissions-Policy controls the features that the site can request.
#
# https://developer.chrome.com/en/docs/privacy-sandbox/permissions-policy/
# https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
Permissions-Policy = """\
accelerometer=(), \
ambient-light-sensor=(), \
autoplay=(), \
battery=(), \
camera=(), \
cross-origin-isolated=(), \
display-capture=(), \
document-domain=(), \
encrypted-media=(), \
execution-while-not-rendered=(), \
execution-while-out-of-viewport=(), \
fullscreen=(), \
geolocation=(), \
gyroscope=(), \
hid=(), \
idle-detection=(), \
magnetometer=(), \
microphone=(), \
midi=(), \
navigation-override=(), \
payment=(), \
picture-in-picture=(), \
publickey-credentials-get=(), \
screen-wake-lock=(), \
serial=(), \
sync-xhr=(), \
usb=(), \
web-share=(), \
xr-spatial-tracking=() \
"""