-
-
Notifications
You must be signed in to change notification settings - Fork 780
/
_headers
64 lines (59 loc) · 3.61 KB
/
_headers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
---
# Netlify _headers template. See syntax on https://docs.netlify.com/routing/headers/.
#
# This configuration sets default headers for pages and API responses, and:
# - a CSP and a "Link" header pointing to the API for product pages,
# - a more restrictive CSP for non-product pages,
# - a CSP that allows Stoplight Elements to load correctly for /docs/api.
#
# For a rationale of all the CSP headers, see https://github.com/endoflife-date/endoflife.date/wiki/CSP-Headers.
# Setting a layout forces Jekyll to render this file.
layout: null
---
# Default headers for all pages.
/*
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
# Generated using https://www.permissionspolicy.com/
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), unload=(), window-placement=(), vertical-scroll=()
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# Default headers for static resources
/assets/*
Cache-Control : public, max-age=3600;
/browserconfig.xml
Cache-Control : public, max-age=3600;
/favicon.ico
Cache-Control : public, max-age=3600;
/manifest.json
Cache-Control : public, max-age=3600;
# Default headers for API resources.
/api*
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 86400
# Default headers for calendar resources.
/calendar/*
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Access-Control-Max-Age: 86400
# Configuration for all "pages" in the website (e.g. product pages, website pages such as / or /recommendations, API "pages"...).
{% assign defaultCspImgSrc="'self' https://img.shields.io https://www.netlify.com https://cdn.jsdelivr.net/ https://github.githubassets.com/ https://user-images.githubusercontent.com/ https://github-production-user-asset-6210df.s3.amazonaws.com" %}
{%- for page in site.html_pages -%}
{{page.url}}
{%- if page.layout == 'product' %}
{%- if page.releaseImage %}
{% capture releaseImageSrc %}https://{{ page.releaseImage | parse_uri: 'host' }}{% endcapture %}
{% else %}
{% assign releaseImageSrc="" %}
{% endif %}
Content-Security-Policy: default-src 'none'; manifest-src 'self'; connect-src 'self'; script-src 'self'; style-src 'self'; img-src {{ defaultCspImgSrc }} {{ releaseImageSrc }}
Link: /api{{page.permalink}}.json; rel=alternate;type=application/json
Link: /calendar{{page.permalink}}.ics; rel=alternate;type=text/calendar
{% elsif page.permalink == '/docs/api' %}
Content-Security-Policy: default-src 'none'; manifest-src 'self'; connect-src 'self'; script-src 'self' https://unpkg.com/@stoplight/elements/web-components.min.js; style-src 'self' https://unpkg.com/@stoplight/elements/ 'unsafe-inline'
{% else %}
Content-Security-Policy: default-src 'none'; manifest-src 'self'; connect-src 'self'; script-src 'self'; style-src 'self'; img-src {{ defaultCspImgSrc }}
{% endif %}
{% endfor %}