summaryrefslogtreecommitdiffstats
path: root/netlify.toml
blob: 3d403000ec871556de5e1216204fdc373fc69088 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

[build]
  publish = 'public'
  command = 'hugo --source=exampleSite --gc --verbose --minify --destination ../public'

[context.production.environment]
  HUGO_VERSION = '0.101.0'
  HUGO_ENV = 'production'
  HUGO_ENABLEGITINFO = 'true'
  HUGO_GOOGLEANALYTICS = 'G-DP9Q137C3X'

[context.split1]
  command = 'hugo --source=exampleSite --gc --minify --enableGitInfo --destination ../public'

[context.split1.environment]
  HUGO_VERSION = '0.101.0'
  HUGO_ENV = 'production'

[context.deploy-preview]
  command = 'hugo --source=exampleSite --gc --minify --buildDrafts --buildFuture --baseURL $DEPLOY_PRIME_URL --destination ../public'

[context.deploy-preview.environment]
  HUGO_VERSION = '0.101.0'

[context.branch-deploy]
  command = 'hugo --source=exampleSite --gc --minify --baseURL $DEPLOY_PRIME_URL --destination ../public'

[context.branch-deploy.environment]
  HUGO_VERSION = '0.101.0'

[context.next.environment]
  HUGO_ENABLEGITINFO = 'true'

# There are a basic set of standard security headers that every
# website should set to help make your website more secure.
[[headers]]
  for = "/*"
  [headers.values]
    # This sets whether you want your website to be in a frame or not.
    # Most of the time you don’t, as it can open up a website to clickjacking.
    X-Frame-Options = "DENY"
    # In older browsers and mainly Safari, this stops pages loading
    # when they detect reflected cross-site scripting attacks.
    X-XSS-Protection = "1; mode=block"
    # Used to stop browser from sniffing and changing MIME content type.
    X-Content-Type-Options = "nosniff"
    # This controls how much referrer information is included with
    # requests.
    Referrer-Policy = "same-origin"
    # Inform browsers that the site should only be accessed using HTTPS,
    # and that any future attempts to access it using HTTP should automatically
    # be converted to HTTPS.
    #
    # includeSubDomains - If this optional parameter is specified, this rule
    #                     applies to all of the site's subdomains as well.
    #
    # preload - If this optional parameter is specified, the browser will
    #           send a preload request to the server for the HTTPS version
    #           of the resource as soon as the user switches to the HTTPS
    #           version of the page.
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    # This used to be called Feature Policy and is mainly only support by
    # Chrome browsers. It’s used to control what browser APIs can be used.
    Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
    # CSP makes it possible for server administrators to reduce or eliminate
    # the vectors by which XSS can occur by specifying the domains that the
    # browser should consider to be valid sources of executable scripts.
    # A CSP compatible browser will then only execute scripts loaded in source
    # files received from those allowed domains, ignoring all other scripts
    # (including inline scripts and event-handling HTML attributes).
    #
    Content-Security-Policy = "default-src 'self'; script-src 'self' *.netlify.app *.netlify.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: *.google-analytics.com *.googletagmanager.com; font-src 'self'; connect-src 'self' *.google-analytics.com *.analytics.google.com *.googletagmanager.com; media-src 'self'; object-src 'self'; frame-src 'none'; worker-src 'self'; frame-ancestors 'none'; form-action 'self' submit-form.com; upgrade-insecure-requests; base-uri 'self'; manifest-src 'self'; report-uri https://edtheme.report-uri.com/r/d/csp/enforce"

[[headers]]
  for = '/feeds/*.xml'
  [headers.values]
    # The correct header Content-Type header for an Atom feed is
    # application/atom+xml. However, Chromium does not handle it
    # correctly (see https://code.google.com/p/chromium/issues/detail?id=104358).
    #
    # The most compatible header is 'text/xml; charset=utf-8', which
    # will cause the feed to be parsed correctly by most clients.
    # Note that you should be encoding your feed in UTF-8.
    Content-Type = 'text/xml; charset=utf-8'

[[headers]]
  for = '/*/feeds/*.xml'
  [headers.values]
    # The same reason as above applies to Atom feeds.
    Content-Type = 'text/xml; charset=utf-8'

[[headers]]
  for = '/feeds/*.json'
  [headers.values]
    # JSON Feed files should be served using the MIME type application/json
    # and should be encoded using UTF-8.
    Content-Type = 'application/feed+json; charset=utf-8'

[[headers]]
  for = '/*/feeds/*.json'
  [headers.values]
    Content-Type = 'application/feed+json; charset=utf-8'

[[headers]]
  for = '/manifest.webmanifest'
  [headers.values]
    # The .webmanifest extension is specified in the Media type registration
    # section of the specification (the response of the manifest file should
    # return Content-Type: application/manifest+json).
    #
    # For more see: https://w3c.github.io/manifest/#media-type-registration=
    Content-Type = 'application/manifest+json; charset=utf-8'

[[headers]]
  for = '/robots.txt'
  [headers.values]
    # The server’s robots.txt file must be saved as plain text with
    # ASCII character encoding.
    Content-Type = 'text/plain; charset=us-ascii'