-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
netlify.toml
151 lines (137 loc) · 6.21 KB
/
netlify.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# Settings in the [build] context are global and are applied to
# all contexts unless otherwise overridden by more specific contexts.
[build]
# Directory that contains the deploy-ready HTML files and
# assets generated by the build. This is relative to the base
# directory if one has been set, or the root directory if
# a base has not been set. This sample publishes the directory
# located at the absolute path "root/project/build-output"
publish = 'public'
[build.environment]
HUGO_VERSION = '0.121.0'
HUGO_ENABLEGITINFO = 'true'
# Production context: all deploys from the Production branch
# set in your site’s Branches settings in the UI will inherit
# these settings. You can define environment variables
# here, but we recommend using the Netlify UI for sensitive
# values to keep them out of your source repository.
[context.production]
command = 'hugo --source=exampleSite --baseURL ${URL} --destination ../public --minify; cp google68c3edfdb3673ddb.html ./public'
[context.production.environment]
HUGO_ENV = 'production'
HUGO_ENABLEGITINFO = 'true'
# Deploy Preview context: all deploys generated from
# a pull/merge request will inherit these settings.
[context.deploy-preview]
command = 'npm run netlify-preview; hugo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public --minify'
[context.deploy-preview.environment]
HUGO_ENV = 'development'
# Branch Deploy context: all deploys that are not from
# a pull/merge request or from the Production branch
# will inherit these settings.
[context.branch-deploy]
command = 'hugo --source=exampleSite --buildDrafts --buildFuture --baseURL ${DEPLOY_PRIME_URL} --destination ../public'
[context.branch-deploy.environment]
HUGO_ENV = 'development'
# There are a basic set of standard security headers that every
# website should set to help make your website more secure.
[[headers]]
for = '/*'
[headers.values]
# This sets whether you want your website to be in a frame or not.
# Most of the time you don’t, as it can open up a website to clickjacking.
X-Frame-Options = 'DENY'
# In older browsers and mainly Safari, this stops pages loading
# when they detect reflected cross-site scripting attacks.
X-XSS-Protection = '1; mode=block'
# Used to stop browser from sniffing and changing MIME content type.
X-Content-Type-Options = 'nosniff'
# This controls how much referrer information is included with
# requests.
Referrer-Policy = 'same-origin'
# Inform browsers that the site should only be accessed using HTTPS,
# and that any future attempts to access it using HTTP should automatically
# be converted to HTTPS.
#
# includeSubDomains - If this optional parameter is specified, this rule
# applies to all of the site's subdomains as well.
#
# preload - If this optional parameter is specified, the browser will
# send a preload request to the server for the HTTPS version
# of the resource as soon as the user switches to the HTTPS
# version of the page.
Strict-Transport-Security = 'max-age=31536000; includeSubDomains; preload'
# This used to be called Feature Policy and is mainly only support by
# Chrome browsers. It’s used to control what browser APIs can be used.
Permissions-Policy = '''
accelerometer=(),
camera=(),
geolocation=(),
gyroscope=(),
magnetometer=(),
microphone=(),
payment=(),
usb=()'''
# CSP makes it possible for server administrators to reduce or eliminate
# the vectors by which XSS can occur by specifying the domains that the
# browser should consider to be valid sources of executable scripts.
# A CSP compatible browser will then only execute scripts loaded in source
# files received from those allowed domains, ignoring all other scripts
# (including inline scripts and event-handling HTML attributes).
Content-Security-Policy = """
default-src 'self';
script-src 'self' www.googletagmanager.com hypothes.is cdn.hypothes.is giscus.app;
style-src 'self' cdn.hypothes.is giscus.app;
img-src 'self' data: *.google-analytics.com www.googletagmanager.com www.gstatic.com stats.g.doubleclick.net;
font-src 'self';
connect-src 'self' *.google-analytics.com *.analytics.google.com analytics.google.com www.googletagmanager.com stats.g.doubleclick.net;
media-src 'self';
object-src 'self';
frame-src hypothes.is giscus.app;
worker-src 'self';
frame-ancestors 'none';
form-action 'self' submit-form.com;
upgrade-insecure-requests;
base-uri 'self';
manifest-src 'self'"""
[[headers]]
for = '/feeds/*.xml'
[headers.values]
# The correct header Content-Type header for an Atom feed is
# application/atom+xml. However, Chromium does not handle it
# correctly (see https://code.google.com/p/chromium/issues/detail?id=104358).
#
# The most compatible header is 'text/xml; charset=utf-8', which
# will cause the feed to be parsed correctly by most clients.
# Note that you should be encoding your feed in UTF-8.
Content-Type = 'text/xml; charset=utf-8'
[[headers]]
for = '/*/feeds/*.xml'
[headers.values]
# The same reason as above applies to Atom feeds.
Content-Type = 'text/xml; charset=utf-8'
[[headers]]
for = '/feeds/*.json'
[headers.values]
# JSON Feed files should be served using the MIME type application/json
# and should be encoded using UTF-8.
Content-Type = 'application/feed+json; charset=utf-8'
[[headers]]
for = '/*/feeds/*.json'
[headers.values]
Content-Type = 'application/feed+json; charset=utf-8'
[[headers]]
for = '/manifest.webmanifest'
[headers.values]
# The .webmanifest extension is specified in the Media type registration
# section of the specification (the response of the manifest file should
# return Content-Type: application/manifest+json).
#
# For more see: https://w3c.github.io/manifest/#media-type-registration=
Content-Type = 'application/manifest+json; charset=utf-8'
[[headers]]
for = '/robots.txt'
[headers.values]
# The server’s robots.txt file must be saved as plain text with
# ASCII character encoding.
Content-Type = 'text/plain; charset=us-ascii'