-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path_headers
More file actions
28 lines (20 loc) · 1.65 KB
/
Copy path_headers
File metadata and controls
28 lines (20 loc) · 1.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
## glossaforge — Netlify Security Headers
/*
# Force HTTPS — 2-year HSTS
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
# Prevent clickjacking
X-Frame-Options: DENY
# Prevent MIME-type sniffing
X-Content-Type-Options: nosniff
# Strip path/query on cross-origin navigation
Referrer-Policy: strict-origin-when-cross-origin
# Permissions Policy — all APIs denied (map is purely display, no user device access)
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()
# Prevent cross-origin popup attacks
Cross-Origin-Opener-Policy: same-origin
# Content Security Policy
# External resources: cdnjs (Leaflet), Google Fonts, CartoDB tiles, OSM tiles
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data: blob: https://*.tile.openstreetmap.org https://*.basemaps.cartocdn.com; connect-src 'self'; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests
/sw.js
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache