Securityheaders cf (#556)

laliconfigcat · web-flow · commit 709438ade4ae · 2025-06-16T10:15:41.000+02:00
* security headers

* cp

* cp

* test

* fix

* credentialless
diff --git a/website/_headers b/website/_headers
@@ -0,0 +1,12 @@
+# Please note that the docs is hosted under the homepage's domain, so security headers should be copied here from the homepage repository to here so CloudFlare Pages have the same security headers as it would be from an nginx hosted version.
+
+/*
+  Strict-Transport-Security: max-age=31536000; includeSubDomains
+  X-Content-Type-Options: nosniff
+  X-Frame-Options: SAMEORIGIN
+  Referrer-Policy: strict-origin
+  Permissions-Policy: accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(self),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()
+  Cross-Origin-Opener-Policy: same-origin
+  Cross-Origin-Resource-Policy: same-origin
+  Cross-Origin-Embedder-Policy: credentialless
+  Content-Security-Policy: default-src 'none'; frame-src 'self' https://*.configcat.com https://www.google.com https://challenges.cloudflare.com https://www.youtube.com https://*.googletagmanager.com https://td.doubleclick.net; script-src 'self' 'unsafe-inline' https://*.configcat.com https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.google-analytics.com https://www.google.com https://www.gstatic.com https://challenges.cloudflare.com https://*.cloudflareinsights.com https://*.cello.so https://*.smartlook.com; style-src 'self' 'unsafe-inline' *.bootstrapcdn.com https://fonts.googleapis.com https://googletagmanager.com https://tagmanager.google.com https://use.typekit.net https://p.typekit.net; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://use.typekit.net; img-src 'self' data: https://*.configcat.com https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://codecov.io https://img.shields.io https://github.com https://snyk.io https://sonarcloud.io https://data.jsdelivr.com https://maven-badges.herokuapp.com https://javadoc.io https://ci.appveyor.com https://buildstats.info https://goreportcard.com https://godoc.org https://poser.pugx.org https://badge.fury.io https://coveralls.io https://pkg.go.dev https://s3.amazonaws.com https://*.cloudfront.net https://img.youtube.com https://thepracticaldev.s3.amazonaws.com https://raw.githubusercontent.com https://blog.ladeak.net; media-src 'self'; connect-src 'self' https://*.configcat.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.g.doubleclick.net https://*.google.com https://*.amplitude.com https://*.cloudflareinsights.com https://*.algolia.net https://*.cello.so https://*.smartlook.com https://*.smartlook.cloud; object-src 'self'; child-src 'self' blob:; frame-ancestors 'self'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'self'; manifest-src 'self';
diff --git a/website/package.json b/website/package.json
@@ -11,7 +11,7 @@
     "serve": "docusaurus serve",
     "gen-api-docs": "docusaurus gen-api-docs all && node ./api/cleanup-api-docs.js",
     "typecheck": "tsc",
-    "cf": "npm run gen-api-docs && docusaurus build --out-dir build/docs && echo / /docs > build/_redirects && node testrobots.js"
+    "cf": "npm run gen-api-docs && docusaurus build --out-dir build/docs && echo / /docs > build/_redirects && node testrobots.js && cp _headers build/_headers"
   },
   "dependencies": {
     "@docusaurus/core": "^3.5.2",
