Setup Content-Security-Policy header

1 files changed, 16 insertions, 0 deletions

diff --git a/netlify.toml b/netlify.toml
index 0068add..bb58e5f 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -60,6 +60,22 @@
     # This used to be called Feature Policy and is mainly only support by
     # Chrome browsers. It’s used to control what browser APIs can be used.
     Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
+    # CSP makes it possible for server administrators to reduce or eliminate
+    # the vectors by which XSS can occur by specifying the domains that the
+    # browser should consider to be valid sources of executable scripts.
+    # A CSP compatible browser will then only execute scripts loaded in source
+    # files received from those allowed domains, ignoring all other scripts
+    # (including inline scripts and event-handling HTML attributes).
+    #
+    # Default to only allow content from the current site
+    # Allow images from current site and imgur.com
+    # Don't allow objects such as Flash and Java
+    # Only allow scripts from the current site
+    # Only allow styles from the current site
+    # Only allow frames from the current site
+    # Restrict URL's in the <base> tag to current site
+    # Allow forms to submit only to the current site and https://submit-form.com
+    Content-Security-Policy = "default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self' 'https://submit-form.com';"
 
 [[headers]]
   for = '/feeds/*.xml'