Add default security headers

Adds security headers. They need to be adapted whenever the Cloudflare beacon changes.
LukasBoll · Sep 15, 2023 · 216087e · 216087e
1 parent fe79adf
commit 216087e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/build.sh b/build.sh
@@ -1,5 +1,9 @@
 #!/usr/bin/env bash
 
+# 
+# Add versions to frontpage
+#
+
 function next() {
     NEXTVERSIONCANDIDATE=$(curl --silent "https://api.github.com/repos/eclipsesource/jsonforms/tags" | grep '"name":' | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
     if [[ ${NEXTVERSIONCANDIDATE:0:1} == "v" ]] && [[ $NEXTVERSIONCANDIDATE != $CURRENTVERSION ]] ; then NEXTVERSION="${NEXTVERSIONCANDIDATE:1}"; fi

diff --git a/netlify.toml b/netlify.toml
@@ -28,3 +28,13 @@
 [[redirects]]
  from = "/public/api/vue2/*"
  to = "/api/vue2/"
+
+[[headers]]
+   for = "/*"
+   [headers.values]
+      Access-Control-Allow-Origin = "*"
+      Referrer-Policy = "strict-origin-when-cross-origin"
+      Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-eval' 'sha256-mC5lwOEBZZZXJoN3sDvzxnxAdNIEKujq9NSXgmhc4HM=' 'sha256-iIf+c/EMxKD/FXoUDy0YsZ3mE+JhzPsmR+aVbrjkdwM=' static.cloudflareinsights.com cloudflareinsights.com/cdn-cgi/rum; connect-src cloudflareinsights.com/cdn-cgi/rum; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'self';"
+      X-Frame-Options = "SAMEORIGIN"
+      X-Content-Type-Options = "nosniff"
+      Permissions-Policy = "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"