-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathnetlify.toml
More file actions
31 lines (25 loc) · 1.76 KB
/
netlify.toml
File metadata and controls
31 lines (25 loc) · 1.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# feel free to remove this redirect some time later
[[redirects]]
from = "/docs/appendix/infrastructure-template"
to = "/docs/reference/appendix/tradetrust-api"
[[redirects]]
from = "/*"
to = "/"
status = 200
[[headers]]
for = "/*"
[headers.values]
# Clickjacking protection
X-Frame-Options = "DENY"
# Content Security Policy - Comprehensive XSS and injection protection
Content-Security-Policy = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com https://*.algolia.net https://*.algolianet.com https://min-api.cryptocompare.com https://api.blocknative.com https://rpc.xinfin.network; frame-src https://app.netlify.com; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests"
# Permissions Policy - Browser feature access control
Permissions-Policy = "camera=(), microphone=(), geolocation=(), interest-cohort=(), payment=(), usb=(), bluetooth=(), magnetometer=(), gyroscope=(), accelerometer=(), autoplay=(), encrypted-media=(), fullscreen=(self), picture-in-picture=()"
# Cross-origin protection (CORP + COOP for Spectre mitigation)
Cross-Origin-Resource-Policy = "same-origin"
Cross-Origin-Opener-Policy = "same-origin"
# Cross-Origin-Embedder-Policy removed - conflicts with Netlify deployment tools
# Additional security headers
X-Content-Type-Options = "nosniff"
Strict-Transport-Security = "max-age=31536000; includeSubDomains"
Referrer-Policy = "strict-origin-when-cross-origin"