Skip to content

Add CSP and security headers #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
juliotrigo wants to merge 18 commits into
base: master
Choose a base branch
from
Open

Add CSP and security headers #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
dee4bc7
Add initial version of CSP
juliotrigo May 15, 2020
dc4e06d
Use Netlify headers
juliotrigo May 15, 2020
0099cd6
Amend header value format
juliotrigo May 15, 2020
282f883
Revert format change
juliotrigo May 15, 2020
65e6c02
CSP: add data: to font-src
juliotrigo May 15, 2020
cef0755
CSP: add script-src
juliotrigo May 15, 2020
93c039c
CSP: add unsafe-inline to script-src
juliotrigo May 15, 2020
3d9a4e1
CSP: add script-src-elem
juliotrigo May 15, 2020
27021ad
CSP: amend script-src and script-src-elem
juliotrigo May 15, 2020
0a8146d
CSP: add google analytics to img-src
juliotrigo May 15, 2020
14fd979
CSP: remove scripts unsafe-inline
juliotrigo May 15, 2020
49fd52e
CPS: add hash for GA to scripts
juliotrigo May 15, 2020
da500b6
Add CSP frame-ancestors and security headers
juliotrigo May 16, 2020
1405c70
CSP: add data: to img-src
juliotrigo May 16, 2020
ef88f0c
Add Referrer-Policy header
juliotrigo May 16, 2020
fe2fda5
CSP: add base-uri
juliotrigo May 16, 2020
91a8352
CSP: add form-action
juliotrigo May 16, 2020
3b6e273
CSP: add block-all-mixed-content;
juliotrigo May 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion _config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ logo_title: Julio Trigo's logo

author: Julio Trigo

include: [_redirects]
include: [_redirects, _headers]

show_excerpts: true # set to true to show excerpts on the homepage
excerpt_separator: "<!--more-->"
Expand Down Expand Up @@ -72,6 +72,14 @@ google_font:
- url: https://fonts.googleapis.com/css?family=Ubuntu+Mono&display=swap
- url: https://fonts.googleapis.com/css?family=Material+Icons&display=swap

webrick:
headers:
Content-Security-Policy: "default-src 'none'; script-src 'self' 'sha256-yNyiwuL8nlvR0Bq9yrHJ3qM9z/5f5vTLPepYSp3rYi4=' https://www.google-analytics.com; script-src-elem 'self' 'sha256-yNyiwuL8nlvR0Bq9yrHJ3qM9z/5f5vTLPepYSp3rYi4=' https://www.google-analytics.com; img-src 'self' https://www.google-analytics.com https://www.gravatar.com https://webmention.io data: https:; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; frame-src 'self' https://www.youtube.com; base-uri 'none'; form-action 'none'; require-trusted-types-for 'script'; frame-ancestors 'none'; block-all-mixed-content;"
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade

# Build settings
markdown: kramdown
theme: minima
Expand Down
15 changes: 15 additions & 0 deletions _headers
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
/*
# CSP
Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-yNyiwuL8nlvR0Bq9yrHJ3qM9z/5f5vTLPepYSp3rYi4=' https://www.google-analytics.com; script-src-elem 'self' 'sha256-yNyiwuL8nlvR0Bq9yrHJ3qM9z/5f5vTLPepYSp3rYi4=' https://www.google-analytics.com; img-src 'self' https://www.google-analytics.com https://www.gravatar.com https://webmention.io data: https:; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; frame-src 'self' https://www.youtube.com; base-uri 'none'; form-action 'none'; require-trusted-types-for 'script'; frame-ancestors 'none'; block-all-mixed-content;

# Block site from being framed with X-Frame-Options
X-Frame-Options: DENY

# Prevent browsers from incorrectly detecting non-scripts as scripts
X-Content-Type-Options: nosniff

# Block pages from loading when they detect reflected XSS attacks
X-XSS-Protection: 1; mode=block

# Do not send the referrer header when navigating from HTTPS to HTTP
Referrer-Policy: no-referrer-when-downgrade