forked from endoflife-date/endoflife.date
-
Notifications
You must be signed in to change notification settings - Fork 0
/
_headers
59 lines (49 loc) · 2.72 KB
/
_headers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
---
# Setting a layout forces Jekyll to render this file
layout: null
---
/*
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
# Generated using https://www.permissionspolicy.com/
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=() interest-cohort=()
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
/api*
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 86400
{% comment %}
The following loop runs for all "pages" in the website. This includes:
- product pages
- "website pages" (/, /recommendations, /docs/api)
1. For all product pages, we add a "Link" header linking to the API and a CSP
header that takes into account the images we might embed in the page.
2. For non product pages, we add a much restrictive CSP
3. For /docs/api, we add a CSP that allows Stoplight Elements to load correctly.
For a rationale of all the CSP headers, please see https://github.com/endoflife-date/endoflife.date/wiki/CSP-Headers
See Netlify's syntax: https://docs.netlify.com/routing/headers/
{% endcomment %}
{% for page in site.html_pages %}
{{page.url}}
{% comment %}
If it is a product page, add a link to the API page
{% endcomment %}
{% assign imgsrc="'self' https://simpleicons.org/ https://github.githubassets.com/ " %}
{% if page.layout == 'product' %}
Link: /api{{page.permalink}}.json; rel=alternate;type=application/json
{% comment %}
If we have a release image, set a CSP that includes it
{% endcomment %}
{% if page.releaseImage %}
{% assign imghost = page.releaseImage|parse_uri:'host' %}
{% assign imgsrc = imgsrc|append:'https://'|append:imghost %}
{% endif %}
Content-Security-Policy: default-src 'none'; connect-src 'self'; img-src {{imgsrc}}; script-src 'self'; style-src 'self'
{% elsif page.permalink == '/docs/api' %}
Content-Security-Policy: default-src 'none'; connect-src 'self'; script-src 'self' https://unpkg.com/@stoplight/elements/web-components.min.js; style-src 'self' https://unpkg.com/@stoplight/elements/
{% else %}
Content-Security-Policy: default-src 'none'; connect-src 'self'; script-src 'self'; style-src 'self'; img-src {{imgsrc}}
{% endif %}
{% endfor %}