# Settings in the [build] context are global and are applied to # all contexts unless otherwise overridden by more specific contexts. [build] # Directory that contains the deploy-ready HTML files and # assets generated by the build. This is relative to the base # directory if one has been set, or the root directory if # a base has not been set. This sample publishes the directory # located at the absolute path "root/project/build-output" publish = 'public' [build.environment] HUGO_VERSION = '0.147.8' HUGO_ENABLEGITINFO = 'true' # Production context: all deploys from the Production branch # set in your site’s Branches settings in the UI will inherit # these settings. You can define environment variables # here, but we recommend using the Netlify UI for sensitive # values to keep them out of your source repository. [context.production] command = 'hugo --source=exampleSite --baseURL ${URL} --destination ../public --minify; cp google68c3edfdb3673ddb.html ./public' [context.production.environment] HUGO_ENV = 'production' HUGO_ENABLEGITINFO = 'true' # Deploy Preview context: all deploys generated from # a pull/merge request will inherit these settings. [context.deploy-preview] command = 'npm run netlify-preview; hugo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public --minify' [context.deploy-preview.environment] HUGO_ENV = 'development' # Branch Deploy context: all deploys that are not from # a pull/merge request or from the Production branch # will inherit these settings. [context.branch-deploy] command = 'hugo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public' [context.branch-deploy.environment] HUGO_ENV = 'development' # There are a basic set of standard security headers that every # website should set to help make your website more secure. [[headers]] for = '/*' [headers.values] # This sets whether you want your website to be in a frame or not. # Most of the time you don’t, as it can open up a website to clickjacking. X-Frame-Options = 'DENY' # In older browsers and mainly Safari, this stops pages loading # when they detect reflected cross-site scripting attacks. X-XSS-Protection = '1; mode=block' # Used to stop browser from sniffing and changing MIME content type. X-Content-Type-Options = 'nosniff' # This controls how much referrer information is included with # requests. Referrer-Policy = 'same-origin' # Inform browsers that the site should only be accessed using HTTPS, # and that any future attempts to access it using HTTP should automatically # be converted to HTTPS. # # includeSubDomains - If this optional parameter is specified, this rule # applies to all of the site's subdomains as well. # # preload - If this optional parameter is specified, the browser will # send a preload request to the server for the HTTPS version # of the resource as soon as the user switches to the HTTPS # version of the page. Strict-Transport-Security = 'max-age=31536000; includeSubDomains; preload' # This used to be called Feature Policy and is mainly only support by # Chrome browsers. It’s used to control what browser APIs can be used. Permissions-Policy = ''' accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()''' # CSP makes it possible for server administrators to reduce or eliminate # the vectors by which XSS can occur by specifying the domains that the # browser should consider to be valid sources of executable scripts. # A CSP compatible browser will then only execute scripts loaded in source # files received from those allowed domains, ignoring all other scripts # (including inline scripts and event-handling HTML attributes). Content-Security-Policy = """ default-src 'self'; script-src 'self' www.googletagmanager.com hypothes.is cdn.hypothes.is giscus.app; style-src 'self' cdn.hypothes.is giscus.app; img-src 'self' data: *.google-analytics.com www.googletagmanager.com www.gstatic.com stats.g.doubleclick.net; font-src 'self'; connect-src 'self' *.google-analytics.com *.analytics.google.com analytics.google.com www.googletagmanager.com stats.g.doubleclick.net; media-src 'self'; object-src 'self'; frame-src hypothes.is giscus.app; worker-src 'self'; frame-ancestors 'none'; form-action 'self' submit-form.com; upgrade-insecure-requests; base-uri 'self'; manifest-src 'self'""" [[headers]] for = '/feeds/*.xml' [headers.values] # The correct header Content-Type header for an Atom feed is # application/atom+xml. However, Chromium does not handle it # correctly (see https://code.google.com/p/chromium/issues/detail?id=104358). # # The most compatible header is 'text/xml; charset=utf-8', which # will cause the feed to be parsed correctly by most clients. # Note that you should be encoding your feed in UTF-8. Content-Type = 'text/xml; charset=utf-8' [[headers]] for = '/*/feeds/*.xml' [headers.values] # The same reason as above applies to Atom feeds. Content-Type = 'text/xml; charset=utf-8' [[headers]] for = '/feeds/*.json' [headers.values] # JSON Feed files should be served using the MIME type application/json # and should be encoded using UTF-8. Content-Type = 'application/feed+json; charset=utf-8' [[headers]] for = '/*/feeds/*.json' [headers.values] Content-Type = 'application/feed+json; charset=utf-8' [[headers]] for = '/manifest.webmanifest' [headers.values] # The .webmanifest extension is specified in the Media type registration # section of the specification (the response of the manifest file should # return Content-Type: application/manifest+json). # # For more see: https://w3c.github.io/manifest/#media-type-registration= Content-Type = 'application/manifest+json; charset=utf-8' [[headers]] for = '/robots.txt' [headers.values] # The server’s robots.txt file must be saved as plain text with # ASCII character encoding. Content-Type = 'text/plain; charset=us-ascii'