-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.toml
29 lines (26 loc) · 1.53 KB
/
server.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Auto-generated file - do not modify
[[headers]]
for = '/**'
[headers.values]
Access-Control-Allow-Origin = '*'
Content-Security-Policy = """
base-uri 'self'; \
connect-src 'self' *.analytics.google.com *.google.com *.google-analytics.com *.googletagmanager.com; \
default-src 'none'; \
font-src 'self' fonts.gstatic.com data:; \
form-action 'self'; \
frame-src *.googletagmanager.com player.cloudinary.com www.youtube-nocookie.com www.youtube.com player.vimeo.com; \
img-src 'self' *.google-analytics.com *.googletagmanager.com googletagmanager.com ssl.gstatic.com www.gstatic.com data: *.imgix.net *.imagekit.io *.cloudinary.com i.ytimg.com tile.openstreetmap.org i.vimeocdn.com; \
manifest-src 'self'; \
media-src 'self'; \
object-src 'none'; \
script-src 'self' *.google-analytics.com *.googletagmanager.com *.analytics.google.com googletagmanager.com tagmanager.google.com player.vimeo.com; \
style-src 'self' googletagmanager.com tagmanager.google.com fonts.googleapis.com www.youtube.com; \
"""
Permissions-Policy = 'geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=() '
Referrer-Policy = 'strict-origin'
Strict-Transport-Security = 'max-age=31536000; includeSubDomains; preload'
X-Content-Type-Options = 'nosniff'
X-Frame-Options = 'SAMEORIGIN'
X-XSS-Protection = '1; mode=block'
cache-control = 'max-age=0, no-cache, no-store, must-revalidate '