netlify.toml

# netlify.toml file
# Header configuration

[[headers]]
  for = "/*"
  [headers.values]
    # Prevents the site from being framed by other sites, protecting against clickjacking.
    X-Frame-Options = "DENY"
    # Activates the browser's built-in cross-site scripting (XSS) filter and blocks responses if an attack is detected.
    X-XSS-Protection = "1; mode=block"
    # Ensures that only trusted content is executed and styled. TODO: Consider using nonces or hashes for inline scripts instead of unsafe-inline.
    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' https://cardano.org https://new-cardano-org-staging.netlify.app https://www.googletagmanager.com https://js.hsforms.net https://forms.hsforms.com https://www.google.com https://www.gstatic.com; img-src 'self' https://cardano.org https://new-cardano-org-staging.netlify.app https://forms.hsforms.com https://forms-eu1.hsforms.com data: https://*.ytimg.com; style-src 'self' 'unsafe-inline'; frame-src 'self' https://www.youtube.com https://www.youtube-nocookie.com https://www.google.com https://*.hsforms.com; media-src 'self' https://www.youtube.com https://www.youtube-nocookie.com; connect-src 'self' https://hubspot-forms-static-embed.s3.amazonaws.com https://*.hsforms.com https://*.google-analytics.com https://cardano-mainnet.blockfrost.io"
    # Enforces secure connections via HTTPS, protecting against certain types of man-in-the-middle attacks.
    Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
    # Controls information provided as the HTTP Referer header when navigating from your site, enhancing privacy and security.
    Referrer-Policy = "no-referrer-when-downgrade"
    # Allows you to explicitly enable or disable various browser features and APIs for your site, enhancing security.
    Feature-Policy = "geolocation 'none'; microphone 'none';"

# Specific header configuration for iframe exceptions
[[headers]]
  for = "/archive/static.iohk.io/adasale/*"
  [headers.values]
    X-Frame-Options = "SAMEORIGIN"
    # This path has its own content security policy
    Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' https://cardano.org https://new-cardano-org-staging.netlify.app https://www.googletagmanager.com https://maxcdn.bootstrapcdn.com; img-src 'self' https://cardano.org https://new-cardano-org-staging.netlify.app data:; style-src 'self' 'unsafe-inline'; font-src 'self' https://maxcdn.bootstrapcdn.com"

# Redirects
[[redirects]]
  from = "/partners/"
  to = "https://cardano.org/entities/"
  status = 301