From e353e57ab3e5417ba2918bc98bbbcad640cb2b7c Mon Sep 17 00:00:00 2001 From: Paul Arah Date: Mon, 18 Aug 2025 19:09:51 +0100 Subject: [PATCH 1/3] fix: add CSP to netlfiy Signed-off-by: Paul Arah --- netlify.toml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/netlify.toml b/netlify.toml index a1cd1c756..0fd5ffee6 100644 --- a/netlify.toml +++ b/netlify.toml @@ -1,3 +1,13 @@ [build] publish = "public" command = "gatsby build" + +[[headers]] + for = "/*" + [headers.values] + Content-Security-Policy-Report-Only = "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://www.google-analytics.com; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com; frame-src 'self' https://www.youtube.com https://player.vimeo.com" + Permissions-Policy = "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(), xr-spatial-tracking=(), browsing-topics=()" + Referrer-Policy = "strict-origin-when-cross-origin" + X-Content-Type-Options = "nosniff" + X-Frame-Options = "DENY" + Strict-Transport-Security = "max-age=31536000" From 1206c606d00707a3de57f06c28a21750fe8264f6 Mon Sep 17 00:00:00 2001 From: Paul Arah Date: Mon, 18 Aug 2025 19:26:57 +0100 Subject: [PATCH 2/3] fix: enforce csp Signed-off-by: Paul Arah --- netlify.toml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/netlify.toml b/netlify.toml index 0fd5ffee6..10e7bf5bd 100644 --- a/netlify.toml +++ b/netlify.toml @@ -5,9 +5,21 @@ [[headers]] for = "/*" [headers.values] - Content-Security-Policy-Report-Only = "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://www.google-analytics.com; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com; frame-src 'self' https://www.youtube.com https://player.vimeo.com" + Content-Security-Policy-Report-Only = """ + default-src 'self'; + base-uri 'self'; + object-src 'none'; + frame-ancestors 'self'; + form-action 'self'; + script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com; + style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; + img-src 'self' data: https://www.google-analytics.com; + font-src 'self' https://fonts.gstatic.com data:; + connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com; + frame-src 'self' https://www.youtube.com + """ Permissions-Policy = "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(), xr-spatial-tracking=(), browsing-topics=()" Referrer-Policy = "strict-origin-when-cross-origin" X-Content-Type-Options = "nosniff" X-Frame-Options = "DENY" - Strict-Transport-Security = "max-age=31536000" + Strict-Tra From 50c87b71e793efcc7e2b1db4b5ee1ef4e2227c2a Mon Sep 17 00:00:00 2001 From: Paul Arah Date: Mon, 18 Aug 2025 19:31:17 +0100 Subject: [PATCH 3/3] fix: format netlify.toml file Signed-off-by: Paul Arah --- netlify.toml | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/netlify.toml b/netlify.toml index 10e7bf5bd..071fa79c5 100644 --- a/netlify.toml +++ b/netlify.toml @@ -5,21 +5,9 @@ [[headers]] for = "/*" [headers.values] - Content-Security-Policy-Report-Only = """ - default-src 'self'; - base-uri 'self'; - object-src 'none'; - frame-ancestors 'self'; - form-action 'self'; - script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com; - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; - img-src 'self' data: https://www.google-analytics.com; - font-src 'self' https://fonts.gstatic.com data:; - connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com; - frame-src 'self' https://www.youtube.com - """ + Content-Security-Policy-Report-Only = "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://www.google-analytics.com; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' https://www.google-analytics.com https://region1.google-analytics.com; frame-src 'self' https://www.youtube.com" Permissions-Policy = "accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self), usb=(), xr-spatial-tracking=(), browsing-topics=()" Referrer-Policy = "strict-origin-when-cross-origin" X-Content-Type-Options = "nosniff" X-Frame-Options = "DENY" - Strict-Tra + Strict-Transport-Security = "max-age=31536000"