From 97a33059490a950815469914b27ec783be6bb362 Mon Sep 17 00:00:00 2001
From: mark <mark@dumay.nl>
Date: Sat, 2 Apr 2022 08:07:50 +0200
Subject: [PATCH] Improve security headers

---
 netlify.toml | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/netlify.toml b/netlify.toml
index b4bc22f7..bb90f130 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -20,20 +20,18 @@
         X-Content-Type-Options = "nosniff"
         X-XSS-Protection = "1; mode=block"
         Content-Security-Policy = """\
-            base-uri 'self'; \
-            child-src https://utteranc.es; \
             default-src 'self'; \
-            font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; \
-            form-action 'self'; \
-            img-src 'self'; \
+            script-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js https://utteranc.es/client.js; \
+            style-src 'report-sample' 'self' https://fonts.googleapis.com; \
             object-src 'none'; \
-            script-src 'report-sample' 'self' \
-                https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js \
-                https://cdn.jsdelivr.net/npm/flexsearch@0.7.21/dist/flexsearch.bundle.js \
-                https://utteranc.es/client.js; \
-            style-src 'report-sample' 'self' \
-                https://fonts.googleapis.com \
-                https://cdn.jsdelivr.net/npm/flexsearch@0.7.21/dist/flexsearch.bundle.js \
+            base-uri 'self'; \
+            connect-src 'self'; \
+            font-src 'self' https://fonts.gstatic.com; \
+            frame-src 'self' https://utteranc.es; \
+            img-src 'self'; \
+            manifest-src 'self'; \
+            media-src 'self'; \
+            worker-src 'none'; \
             """
         X-Frame-Options = "SAMEORIGIN"
         Referrer-Policy = "strict-origin"