-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path_headers
More file actions
35 lines (25 loc) · 1.54 KB
/
_headers
File metadata and controls
35 lines (25 loc) · 1.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Cloudflare Pages 安全標頭配置
# 文檔: https://developers.cloudflare.com/pages/platform/headers/
# 全域安全標頭
/*
# 防止點擊劫持
X-Frame-Options: DENY
# 防止 MIME 類型嗅探
X-Content-Type-Options: nosniff
# 啟用瀏覽器 XSS 過濾器
X-XSS-Protection: 1; mode=block
# 推薦來源政策
Referrer-Policy: strict-origin-when-cross-origin
# 權限政策(限制瀏覽器功能)
Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=()
# HSTS(強制 HTTPS,有效期 1 年)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://esm.run https://cdn.jsdelivr.net https://www.googletagmanager.com https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.googleapis.com https://www.google-analytics.com https://lazy-pagespeed-api.blackflash.workers.dev https://*.r2.cloudflarestorage.com https://*.r2.dev; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
# 快取控制(靜態資源)
/assets/*
Cache-Control: public, max-age=31536000, immutable
/js/*
Cache-Control: public, max-age=31536000, immutable
# HTML 不快取(確保總是取得最新版本)
/*.html
Cache-Control: public, max-age=0, must-revalidate