|
| 1 | +# ------- BUILD ------- |
| 2 | +# documentation: https://docs.netlify.com/configure-builds/file-based-configuration/#build-settings |
| 3 | +[build] |
| 4 | +base = "docs/" |
| 5 | + |
| 6 | +# ------- HEADERS ------- |
| 7 | +# documentation: https://www.netlify.com/docs/headers-and-basic-auth/ |
| 8 | +[[headers]] |
| 9 | +for = "/*" |
| 10 | +[headers.values] |
| 11 | +# for a brief introduction into CSPs, see https://infosec.mozilla.org/guidelines/web_security#content-security-policy |
| 12 | +# for an in-depth description, see [An Introduction to Content Security Policy](https://www.html5rocks.com/en/tutorials/security/content-security-policy/) |
| 13 | +# for an up-to-date list of available policies, see |
| 14 | +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy |
| 15 | +# - [OWASP CSP Cheat Sheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Content_Security_Policy_Cheat_Sheet.md) |
| 16 | +# notes: |
| 17 | +# - `connect-src data:` is required for asciinema (asciicast) |
| 18 | +# - `connect-src https://t.counter.dev` is required for counter.dev analytics |
| 19 | +# - `object-src 'self';` has to be set to enable PDF preview in Chrome |
| 20 | +# - `img-src https://r-pkg.org` has to be set for the CRAN badge in the README |
| 21 | +# - `script-src 'unsafe-eval'` is required for MathJax, cf. https://github.com/mathjax/MathJax/issues/1988#issuecomment-384978927 |
| 22 | +# - `script-src https://rpkg.dev` is required for counter.dev analytics |
| 23 | +# - `style-src 'unsafe-inline'` is required for MathJax, cf. https://github.com/mathjax/MathJax/issues/1988#issuecomment-581567775 |
| 24 | +Content-Security-Policy = ''' |
| 25 | + base-uri 'self'; |
| 26 | +
|
| 27 | + default-src 'none'; |
| 28 | + connect-src 'self' data: https://t.counter.dev; |
| 29 | + font-src 'self'; |
| 30 | + img-src 'self' data: https://r-pkg.org; |
| 31 | + manifest-src 'self'; |
| 32 | + object-src 'self'; |
| 33 | + script-src 'self' 'unsafe-eval' https://rpkg.dev; |
| 34 | + style-src 'self' 'unsafe-inline'; |
| 35 | +
|
| 36 | + form-action 'self'; |
| 37 | + frame-ancestors 'none' |
| 38 | +''' |
| 39 | +Referrer-Policy = "strict-origin-when-cross-origin" |
| 40 | +X-Content-Type-Options = "nosniff" |
| 41 | +X-Frame-Options = "DENY" |
| 42 | +X-XSS-Protection = "1; mode=block" |
| 43 | + |
| 44 | +# ------- REDIRECTS ------- |
| 45 | +# Redirect rules are processed [from top to bottom](https://docs.netlify.com/routing/redirects/#rule-processing-order), i.e. first matching one has priority |
| 46 | + |
| 47 | +# fall back to dev site (non-shadowing), so that links not (yet) available in stable site are automatically redirected to dev version if present |
| 48 | +[[redirects]] |
| 49 | +from = "/*" |
| 50 | +to = "/dev/:splat" |
| 51 | +status = 302 |
| 52 | +force = false |
0 commit comments