feat: harden HTTP headers (!18) · Merge requests · Ming Di Leom / blog · GitLab

Ming Di Leom requested to merge http-header into master May 20, 2019

content-security-policy
- specify allowed sources of script and style/link
  - cdnjs
  - netlify production
  - netlify deploy previews (for MR)
- allow inline JS
- block mixed-content
- no <form>, no frame-ancestors/iframe
- https://scotthelme.co.uk/content-security-policy-an-introduction/
- https://stackoverflow.com/a/40417609
no referrer
Use netlify's default hsts max-age. Lower value is only applicable for custom domain.
feature-policy
ref:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
- https://developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify

Edited May 20, 2019 by Ming Di Leom