-
Notifications
You must be signed in to change notification settings - Fork 0
/
netlify.toml
51 lines (46 loc) · 2.25 KB
/
netlify.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# ------- BUILD -------
# documentation: https://docs.netlify.com/configure-builds/file-based-configuration/#build-settings
[build]
base = "docs/"
# ------- HEADERS -------
# documentation: https://www.netlify.com/docs/headers-and-basic-auth/
[[headers]]
for = "/*"
[headers.values]
# for a brief introduction into CSPs, see https://infosec.mozilla.org/guidelines/web_security#content-security-policy
# for an in-depth description, see [An Introduction to Content Security Policy](https://www.html5rocks.com/en/tutorials/security/content-security-policy/)
# for an up-to-date list of available policies, see
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# - [OWASP CSP Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Content_Security_Policy_Cheat_Sheet.md)
# notes:
# - `connect-src data:` is required for asciinema (asciicast)
# - `connect-src https://t.counter.dev` is required for counter.dev analytics
# - `object-src 'self';` has to be set to enable PDF preview in Chrome
# - `script-src 'unsafe-eval'` is required for MathJax, cf. https://github.com/mathjax/MathJax/issues/1988#issuecomment-384978927
# - `script-src https://rpkg.dev` is required for counter.dev analytics
# - `style-src 'unsafe-inline'` is required for MathJax, cf. https://github.com/mathjax/MathJax/issues/1988#issuecomment-581567775
Content-Security-Policy = '''
base-uri 'self';
default-src 'none';
connect-src 'self' data: https://t.counter.dev;
font-src 'self';
img-src 'self' data: https://r-pkg.org;
manifest-src 'self';
object-src 'self';
script-src 'self' 'unsafe-eval' https://rpkg.dev;
style-src 'self' 'unsafe-inline';
form-action 'self';
frame-ancestors 'none'
'''
Referrer-Policy = "strict-origin-when-cross-origin"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "DENY"
X-XSS-Protection = "1; mode=block"
# ------- REDIRECTS -------
# Redirect rules are processed [from top to bottom](https://docs.netlify.com/routing/redirects/#rule-processing-order), i.e. first matching one has priority
# fall back to dev site (non-shadowing), so that links not (yet) available in stable site are automatically redirected to dev version if present
[[redirects]]
from = "/*"
to = "/dev/:splat"
status = 302
force = false