-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path_headers
More file actions
67 lines (57 loc) · 3.13 KB
/
_headers
File metadata and controls
67 lines (57 loc) · 3.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Cache-Control headers for Cloudflare Pages / Netlify.
#
# Current production hosting is GitHub Pages behind Cloudflare DNS/proxy. GitHub
# Pages ignores this file, and Cloudflare's reverse proxy does not read a
# repository _headers file from a GitHub Pages origin. The executable edge
# implementation for the current setup lives in workers/site-edge-headers.js.
# Keep the two policies aligned if either file changes.
#
# /assets/css/*.css and /assets/js/*.js are content-fingerprinted at build
# time (filename embeds a SHA-256 prefix; see _plugins/asset_fingerprint.rb).
# That makes the long-lived `immutable` lifetime safe — every CSS/JS change
# produces a new URL, so browsers and edge caches refresh on the next page
# load without manual purge. Pagefind UI is not fingerprinted by us; it uses
# `?v=<build-epoch>` query strings emitted from _includes/head.html.
# Immutable hashed assets (fonts, images, favicons, webmanifest)
/assets/*
Cache-Control: public, max-age=31536000, immutable
# Fingerprinted CSS bundle (main.<hash>.css)
/assets/css/*
Cache-Control: public, max-age=31536000, immutable
/pagefind/*
Cache-Control: public, max-age=31536000, immutable
# HTML pages: short cache + revalidate (content changes on deploy)
/*.html
Cache-Control: public, max-age=3600, must-revalidate
# Sitemap and feeds: moderate cache
/sitemap.xml
Cache-Control: public, max-age=86400
/robots.txt
Cache-Control: public, max-age=86400
# Webmanifest
/assets/site.webmanifest
Cache-Control: public, max-age=604800
# Machine-readable indexes — CORS-permissive for cross-site embedding
# (CC BY 4.0 content; sibling sites and partner programs can fetch these freely)
/api/*
Cache-Control: public, max-age=3600, stale-while-revalidate=86400
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD, OPTIONS
Access-Control-Allow-Headers: Content-Type
Access-Control-Max-Age: 86400
/api/*.json
Content-Type: application/json; charset=utf-8
# Security headers (bonus — free hardening)
# Link response headers for agent/machine discovery (RFC 8288, IANA-registered rel types):
# - sitemap → /sitemap.xml
# - license → CC BY 4.0 (site content license)
# - service-doc → /corpus/taulib/docs/ (TauLib Lean 4 API reference, human-readable)
# - help → /verify/assessment-protocols/ (assessment protocols & usage rules)
# - author → /program/about/founders/ (research program authors)
# - describedby → /program/about/ (canonical program description)
/*
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Link: </sitemap.xml>; rel="sitemap"; type="application/xml", <https://creativecommons.org/licenses/by/4.0/>; rel="license"; title="CC BY 4.0", </corpus/taulib/docs/>; rel="service-doc"; type="text/html"; title="TauLib API reference", </verify/assessment-protocols/>; rel="help"; type="text/html"; title="Assessment protocols", </program/about/founders/>; rel="author"; type="text/html"; title="Founders", </program/about/>; rel="describedby"; type="text/html"; title="About the research program"