-
Notifications
You must be signed in to change notification settings - Fork 9
/
netlify.toml
120 lines (113 loc) · 3.49 KB
/
netlify.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
[[headers]]
for = "/*"
[headers.values]
# Only connect to this site and subdomains via HTTPS for the next one year
Strict-Transport-Security = "max-age=31536000; includeSubDomains"
# X-Frame-Options tells the browser whether you want to allow your site to
# be framed or not. By preventing a browser from framing your site you can
# defend against attacks like clickjacking.
X-Frame-Options = "SAMEORIGIN"
# Prevent browsers from incorrectly detecting non-scripts as scripts
X-Content-Type-Options = "nosniff"
# X-XSS-Protection sets the configuration for the cross-site scripting
# filter built into most browsers.
X-XSS-Protection = "1; mode=block"
# Referrer Policy is a new header that allows a site to control how much
# information the browser includes with navigations away from a document and
# should be set by all sites.
Referrer-Policy = "strict-origin-when-cross-origin"
# CORS
Access-Control-Allow-Origin = "*"
# Block site from being framed with X-Frame-Options and CSP
Content-Security-Policy = '''
upgrade-insecure-requests;
frame-ancestors
'self'
;
default-src
'self'
https://api.github.com/
;
connect-src
'self'
blob:
data:
https://*.google-analytics.com/
https://api.github.com/
https://www.githubstatus.com/
https://githubstatus.com/
https://www.netlifystatus.com/
https://netlifystatus.com/
https://api.pegabot.com.br/
https://backend.pegabot.com.br/
;
frame-src
'self'
https://www.youtube-nocookie.com/
https://youtube-nocookie.com/
https://www.youtube.com/
https://youtube.com/
;
img-src
'self'
'unsafe-inline'
https://*.google-analytics.com/
https://*.appcivico.com/
https://*.cloudfront.net/
https://browser-update.org/
https://pbs.twimg.com/
https://*.githubusercontent.com
https://puppeteer.pegabot.com.br/
data:
blob:
;
object-src
'self'
;
script-src
'self'
'unsafe-inline'
'unsafe-eval'
https://identity.netlify.com/
https://api.twitter.com/
https://browser-update.org/
https://cdn.jsdelivr.net/
https://mobile.twitter.com/
https://pbs.twimg.com/
https://pic.twitter.com/
https://platform.twitter.com/
https://publish.twitter.com/
https://s3.amazonaws.com/downloads.mailchimp.com/
https://sentry.eokoe.com/
https://static.ads-twitter.com/
https://static.twitter.com/
https://storage.googleapis.com/
https://twemoji.twitter.com/
https://twitter.com/
https://unpkg.com/
https://www.google-analytics.com/
https://www.googletagmanager.com/
https://api.github.com/
https://s3.amazonaws.com/
https://cdnjs.cloudflare.com/
data:
;
style-src
'self'
'unsafe-inline'
https://cdn-images.mailchimp.com/
https://fonts.googleapis.com/
;
font-src
'self'
https://cdn-images.mailchimp.com/
https://fonts.googleapis.com/
https://www.google-analytics.com/
https://fonts.gstatic.com/
;
media-src
https://*.cloudfront.net/
https://google-analytics.com/
https://puppeteer.pegabot.com.br/
;
'''