diff --git a/netlify.toml b/netlify.toml index 01ae9e2..21f3427 100644 --- a/netlify.toml +++ b/netlify.toml @@ -1,17 +1,3 @@ -[[headers]] - for = "/*" - [headers.values] - Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload" - Content-Security-Policy = "default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com; block-all-mixed-content; base-uri 'none'" - X-Content-Type-Options = "nosniff" - Referrer-Policy = "no-referrer" - Cross-Origin-Opener-Policy = "same-origin" - X-Frame-Options = "DENY" - X-XSS-Protection = "0" - Permissions-Policy = "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()" - Cross-Origin-Resource-Policy = "same-origin" - Expect-CT = "max-age=63072000, enforce" - [build.environment] HUGO_VERSION = "0.101.0" diff --git a/_headers b/static/_headers similarity index 60% rename from _headers rename to static/_headers index 5531ad9..fe3f8ad 100644 --- a/_headers +++ b/static/_headers @@ -1,9 +1,14 @@ -/ - Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com; block-all-mixed-content; base-uri 'none' +/* + Strict-Transport-Security : max-age=63072000; includeSubDomains; preload + Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' X-Content-Type-Options : nosniff Referrer-Policy : no-referrer Cross-Origin-Opener-Policy : same-origin X-Frame-Options : DENY X-XSS-Protection : 0 - Permissions-Policy : accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb(), sync-xhr=(), xr-spatial-tracking=() + Permissions-Policy : accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=() Cross-Origin-Resource-Policy : same-origin + +/*.xml + ! Content-Security-Policy + Content-Security-Policy : default-src 'none'; img-src 'self' data: https://www.w3.org/; style-src 'self' 'unsafe-inline'; block-all-mixed-content; base-uri 'none'