diff options
| author | Serghei Iakovlev <egrep@protonmail.ch> | 2022-06-01 20:43:43 +0200 |
|---|---|---|
| committer | Serghei Iakovlev <egrep@protonmail.ch> | 2022-06-01 20:43:43 +0200 |
| commit | 47909870e892dbbc9e6cee7f336bac36e374ff86 (patch) | |
| tree | 7199a1065ab74c6d59cb790c58b88497e86ffe78 | |
| parent | 2ad9549500cf64194bb9e052569735ab5016c52e (diff) | |
| download | gohugo-theme-ed-47909870e892dbbc9e6cee7f336bac36e374ff86.tar.gz | |
Setting Security Headers with Netlify
| -rw-r--r-- | netlify.toml | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/netlify.toml b/netlify.toml index c07aa86..0068add 100644 --- a/netlify.toml +++ b/netlify.toml @@ -29,6 +29,38 @@ [context.next.environment] HUGO_ENABLEGITINFO = 'true' +# There are a basic set of standard security headers that every +# website should set to help make your website more secure. +[[headers]] + for = "/*" + [headers.values] + # This sets whether you want your website to be in a frame or not. + # Most of the time you don’t, as it can open up a website to clickjacking. + X-Frame-Options = "DENY" + # In older browsers and mainly Safari, this stops pages loading + # when they detect reflected cross-site scripting attacks. + X-XSS-Protection = "1; mode=block" + # Used to stop browser from sniffing and changing MIME content type. + X-Content-Type-Options = "nosniff" + # This controls how much referrer information is included with + # requests. + Referrer-Policy = "same-origin" + # Inform browsers that the site should only be accessed using HTTPS, + # and that any future attempts to access it using HTTP should automatically + # be converted to HTTPS. + # + # includeSubDomains - If this optional parameter is specified, this rule + # applies to all of the site's subdomains as well. + # + # preload - If this optional parameter is specified, the browser will + # send a preload request to the server for the HTTPS version + # of the resource as soon as the user switches to the HTTPS + # version of the page. + Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload" + # This used to be called Feature Policy and is mainly only support by + # Chrome browsers. It’s used to control what browser APIs can be used. + Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" + [[headers]] for = '/feeds/*.xml' [headers.values] @@ -44,13 +76,14 @@ [[headers]] for = '/*/feeds/*.xml' [headers.values] + # The same reason as above applies to Atom feeds. Content-Type = 'text/xml; charset=utf-8' [[headers]] for = '/feeds/*.json' [headers.values] - # JSON Feed files should be served using the MIME type application/json. - # JSON Feeds should be encoded using UTF-8. + # JSON Feed files should be served using the MIME type application/json + # and should be encoded using UTF-8. Content-Type = 'application/feed+json; charset=utf-8' [[headers]] |