netlify.toml

[[headers]]
	for = "/*"
	[headers.values]
		# Require use of HTTPS on the website
		# Browsers should remember the HSTS header for 2 years (63072000s)
		Strict-Transport-Security = "max-age=63072000"

		# Content Security Policy:
		# - Restrict which origins resources can be loaded from:
		#   - same origin (for images, scripts, and styles) ;
		#   - CDNJS, for a certain whitelist of libraries.
		# - Forbid setting the base URI (can be abused to load unintended elements)
		# - Forbid sending forms (can be abused to send cross-origin POSTs)
		# - Forbid loading the site in an iframe (can be abused for clickjacking)
		# - Disable a number of browser functionalities through the sandbox
		Content-Security-Policy = """
		default-src 'none';
		connect-src 'self';
		img-src     'self' data:;
		font-src
		  https://cdnjs.cloudflare.com/ajax/libs/font-awesome/;
		style-src
		  'self'
		  https://cdnjs.cloudflare.com/ajax/libs/font-awesome/
		  https://cdnjs.cloudflare.com/ajax/libs/highlight.js/
		  https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/;
		script-src
		  'self'
		  https://cdnjs.cloudflare.com/ajax/libs/highlight.js/
		  https://cdnjs.cloudflare.com/ajax/libs/jquery/
		  https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/;

		base-uri        'none';
		form-action     'none';
		frame-ancestors 'none';

		sandbox
		  allow-forms
		  allow-modals
		  allow-popups
		  allow-same-origin
		  allow-scripts;
		"""

		# Request the referer not to be sent when navigating from wiki.rustfu.rs
		# This is to protect user privacy; we could use `same-origin` but we aren't
		#  keeping track of referrers anyhow.
		Referrer-Policy = "no-referrer"

		# Prevent browsers from incorrectly detecting non-scripts as scripts
		X-Content-Type-Options = "nosniff"

		# Block site from being framed with X-Frame-Options (duplicated in CSP)
		X-Frame-Options = "DENY"

		# Block pages from loading when they detect reflected XSS attacks
		X-XSS-Protection = "1; mode=block"