Configure HTTP Headers (#2021)

mkdocs.production.yml

@@ -2,10 +2,8 @@ INHERIT: mkdocs.yml
 plugins:
   meta: {}
   privacy:
-    external_assets_exclude:
-      - cdn.jsdelivr.net/npm/mathjax@3/*
-      - api.privacyguides.net/*
-      - giscus.app/*
+    external_assets_exclude: ['https://cdn.jsdelivr.net/npm/mathjax@3/*', 'https://api.privacyguides.net/*']
+    external_links_noopener: true
   git-committers:
     enabled: !ENV [PRODUCTION, false]
     repository: privacyguides/privacyguides.org

netlify.toml

@@ -5,6 +5,20 @@
 [context.production.environment]
     PRODUCTION = "true"
 
+[[headers]]
+  for = "/*"
+  [headers.values]
+    X-Frame-Options = "DENY"
+    X-XSS-Protection = "0"
+    X-Content-Type-Options = "nosniff"
+    Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
+    Content-Security-Policy = "default-src 'none'; script-src https://www.privacyguides.org https://api.privacyguides.net 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src data: 'self'; connect-src https://api.github.com https://api.privacyguides.net 'self'"
+
+[[headers]]
+  for = "/about/donate/"
+  [headers.values]
+    Content-Security-Policy = "default-src 'none'; script-src https://opencollective.com https://www.privacyguides.org https://api.privacyguides.net 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src https://opencollective.com data: 'self'; connect-src https://api.github.com https://api.privacyguides.net 'self'; frame-src https://opencollective.com"
+
 [[redirects]]
     from = "/.well-known/matrix/*"
     to = "https://matrix.privacyguides.org/.well-known/matrix/:splat"