Security headers #142

khannzxc · 2021-07-26T15:12:07Z

khannzxc
Jul 26, 2021

I have checked the site with https://securityheaders.com/

Found the below issues.

Find some code and added in netlify.toml

[[headers]]
  for = "/*"
  [headers.values]
    SameSite = "Lax"
    Referrer-Policy = "strict-origin-when-cross-origin"
    X-Frame-Options = "SAMEORIGIN"
    X-XSS-Protection = "0"
    X-Content-Type-Options = "nosniff"
    Content-Security-Policy = "	default-src * data: blob: 'self';script-src https://utteranc.es/ *.github.com *.netlify.com *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net wss://*.facebook.com:* wss://*.whatsapp.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';block-all-mixed-content;upgrade-insecure-requests;"

And all the tests get passed.

I think it has some effects on site ranking. what are your guys' thoughts?

razonyang · 2021-07-26T15:33:12Z

razonyang
Jul 26, 2021
Maintainer

Thanks for pointing it out. I think it would be good to add those parameters into netlify.toml, so that the netlify.toml can be a good example for users who host their sites on Netlify.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security headers #142

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Security headers #142

khannzxc Jul 26, 2021

Replies: 1 comment

razonyang Jul 26, 2021 Maintainer

khannzxc
Jul 26, 2021

razonyang
Jul 26, 2021
Maintainer