-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathnetlify.toml
More file actions
50 lines (40 loc) · 1.69 KB
/
netlify.toml
File metadata and controls
50 lines (40 loc) · 1.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Netlify Configuration with Security Headers
# =============================================
# Build settings
[build]
publish = "dist"
command = "npm run build"
# Redirects for SPA
[[redirects]]
from = "/*"
to = "/index.html"
status = 200
# Security Headers - Applied to all routes
[[headers]]
for = "/*"
[headers.values]
# Prevent clickjacking attacks
X-Frame-Options = "DENY"
# Prevent MIME type sniffing
X-Content-Type-Options = "nosniff"
# Referrer policy
Referrer-Policy = "strict-origin-when-cross-origin"
# Content Security Policy
Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cloud.umami.is https://*.supabase.co https://widget.feeduser.me; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://*.feeduser.me; font-src 'self' https://fonts.gstatic.com https://*.feeduser.me; img-src 'self' data: blob: https://*.supabase.co https://*.feeduser.me https://*.googleusercontent.com; media-src 'self' blob: https://*.supabase.co; connect-src 'self' https://*.supabase.co wss://*.supabase.co https://cloud.umami.is https://*.feeduser.me https://api.ipify.org; frame-src https://*.feeduser.me;"
# Strict Transport Security (HTTPS only)
Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
# Cache static assets
[[headers]]
for = "/assets/*"
[headers.values]
Cache-Control = "public, max-age=31536000, immutable"
# Don't cache HTML
[[headers]]
for = "/*.html"
[headers.values]
Cache-Control = "no-cache, no-store, must-revalidate"
# Block source maps in production
[[headers]]
for = "/*.map"
[headers.values]
X-Robots-Tag = "noindex"