1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
# Settings in the [build] context are global and are applied to
# all contexts unless otherwise overridden by more specific contexts.
[build]
# Directory that contains the deploy-ready HTML files and
# assets generated by the build. This is relative to the base
# directory if one has been set, or the root directory if
# a base has not been set. This sample publishes the directory
# located at the absolute path "root/project/build-output"
publish = 'public'
[build.environment]
HUGO_VERSION = '0.101.0'
HUGO_ENABLEGITINFO = 'true'
# Production context: all deploys from the Production branch
# set in your site’s Branches settings in the UI will inherit
# these settings. You can define environment variables
# here but we recommend using the Netlify UI for sensitive
# values to keep them out of your source repository.
[context.production]
command = 'hugo --enableGitInfo --source=exampleSite --destination ../public'
[context.production.environment]
HUGO_ENV = 'production'
HUGO_GOOGLEANALYTICS = 'G-DP9Q137C3X'
# Deploy Preview context: all deploys generated from
# a pull/merge request will inherit these settings.
[context.deploy-preview]
command = 'hugo --enableGitInfo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public'
[context.deploy-preview.environment]
HUGO_ENV = 'development'
# Branch Deploy context: all deploys that are not from
# a pull/merge request or from the Production branch
# will inherit these settings.
[context.branch-deploy]
command = 'hugo --enableGitInfo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public'
[context.branch-deploy.environment]
HUGO_ENV = 'development'
# There are a basic set of standard security headers that every
# website should set to help make your website more secure.
[[headers]]
for = '/*'
[headers.values]
# This sets whether you want your website to be in a frame or not.
# Most of the time you don’t, as it can open up a website to clickjacking.
X-Frame-Options = 'DENY'
# In older browsers and mainly Safari, this stops pages loading
# when they detect reflected cross-site scripting attacks.
X-XSS-Protection = '1; mode=block'
# Used to stop browser from sniffing and changing MIME content type.
X-Content-Type-Options = 'nosniff'
# This controls how much referrer information is included with
# requests.
Referrer-Policy = 'same-origin'
# Inform browsers that the site should only be accessed using HTTPS,
# and that any future attempts to access it using HTTP should automatically
# be converted to HTTPS.
#
# includeSubDomains - If this optional parameter is specified, this rule
# applies to all of the site's subdomains as well.
#
# preload - If this optional parameter is specified, the browser will
# send a preload request to the server for the HTTPS version
# of the resource as soon as the user switches to the HTTPS
# version of the page.
Strict-Transport-Security = 'max-age=31536000; includeSubDomains; preload'
# This used to be called Feature Policy and is mainly only support by
# Chrome browsers. It’s used to control what browser APIs can be used.
Permissions-Policy = 'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()'
# CSP makes it possible for server administrators to reduce or eliminate
# the vectors by which XSS can occur by specifying the domains that the
# browser should consider to be valid sources of executable scripts.
# A CSP compatible browser will then only execute scripts loaded in source
# files received from those allowed domains, ignoring all other scripts
# (including inline scripts and event-handling HTML attributes).
Content-Security-Policy = "default-src 'self'; script-src 'self' *.netlify.app *.netlify.com *.googletagmanager.com; style-src 'self'; img-src 'self' data: *.google-analytics.com *.googletagmanager.com *.gstatic.com; font-src 'self'; connect-src 'self' *.google-analytics.com analytics.google.com *.googletagmanager.com *.doubleclick.net; media-src 'self'; object-src 'self'; frame-src 'none'; worker-src 'self'; frame-ancestors 'none'; form-action 'self' submit-form.com; upgrade-insecure-requests; base-uri 'self'; manifest-src 'self'; report-uri https://egrep.report-uri.com/r/d/csp/enforce"
[[headers]]
for = '/feeds/*.xml'
[headers.values]
# The correct header Content-Type header for an Atom feed is
# application/atom+xml. However, Chromium does not handle it
# correctly (see https://code.google.com/p/chromium/issues/detail?id=104358).
#
# The most compatible header is 'text/xml; charset=utf-8', which
# will cause the feed to be parsed correctly by most clients.
# Note that you should be encoding your feed in UTF-8.
Content-Type = 'text/xml; charset=utf-8'
[[headers]]
for = '/*/feeds/*.xml'
[headers.values]
# The same reason as above applies to Atom feeds.
Content-Type = 'text/xml; charset=utf-8'
[[headers]]
for = '/feeds/*.json'
[headers.values]
# JSON Feed files should be served using the MIME type application/json
# and should be encoded using UTF-8.
Content-Type = 'application/feed+json; charset=utf-8'
[[headers]]
for = '/*/feeds/*.json'
[headers.values]
Content-Type = 'application/feed+json; charset=utf-8'
[[headers]]
for = '/manifest.webmanifest'
[headers.values]
# The .webmanifest extension is specified in the Media type registration
# section of the specification (the response of the manifest file should
# return Content-Type: application/manifest+json).
#
# For more see: https://w3c.github.io/manifest/#media-type-registration=
Content-Type = 'application/manifest+json; charset=utf-8'
[[headers]]
for = '/robots.txt'
[headers.values]
# The server’s robots.txt file must be saved as plain text with
# ASCII character encoding.
Content-Type = 'text/plain; charset=us-ascii'
|
