34 lines
1.2 KiB
Plaintext
34 lines
1.2 KiB
Plaintext
# Security Headers for all routes
|
|
/*
|
|
# XSS Protection
|
|
X-Frame-Options: DENY
|
|
X-Content-Type-Options: nosniff
|
|
X-XSS-Protection: 1; mode=block
|
|
|
|
# Referrer Policy
|
|
Referrer-Policy: strict-origin-when-cross-origin
|
|
|
|
# Permissions Policy
|
|
Permissions-Policy: geolocation=(self), microphone=(), camera=(), payment=()
|
|
|
|
# Strict Transport Security (HSTS)
|
|
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
|
|
|
|
# Content Security Policy
|
|
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https: blob:; connect-src 'self' https://www.google-analytics.com https://*.googletagmanager.com; frame-ancestors 'none';
|
|
|
|
# Cache Control for static assets
|
|
Cache-Control: public, max-age=31536000, immutable
|
|
|
|
# Cache Control for HTML
|
|
/*.html
|
|
Cache-Control: public, max-age=0, must-revalidate
|
|
|
|
# Cache Control for service worker
|
|
/sw.js
|
|
Cache-Control: public, max-age=0, must-revalidate
|
|
|
|
# Cache Control for manifest
|
|
/manifest.json
|
|
Cache-Control: public, max-age=86400, must-revalidate
|