Web Security for Hugo and Netlify-CMS

Getting an A+ rating

In my ’netlify.toml':

{
[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    X-Content-Type-Options = "nosniff"
    Content-Security-Policy = "img-src 'self' roryhinkel.com www.roryhinkel.com unpkg.com netlify.com; script-src-elem 'unsafe-inline' unpkg.com netlify.com roryhinkel.com 'self'; style-src-attr 'unsafe-inline' unpkg.com netlify.com; style-src-elem 'self' 'unsafe-inline' unpkg.com netlify.com roryhinkel.com www.roryhinkel.com"
    # Content-Security-Policy-Report-Only = "default-src 'none'; form-action 'none'; frame-ancestors 'none';"
    Referrer-Policy = "strict-origin-when-cross-origin"
    Strict-Transport-Security = "max-age=2592000"
    Feature-Policy = "vibrate 'none'; geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'"
}

If you exclude ‘unpkg.com’ and ’netlify.com’ from the ‘Content-Securit-Policy’ while using Netlify-CMS, the admin page won’t load properly. If you follow my guide to serve Netlify-CMS locally via NPM, you can omit ‘unpkg.com’ and ’netlify.com’.

For use on your own website, simply copy the code above to the bottom of your “netlify.toml” file. Replace all instances of my URL with your own, and you’re good to go.