I have a simple react webapp hosted on netlify with my own domain. Below are the details:
I tried to list the site on google but it did not pas the security check:
1 issue detected Google has detected harmful content on some of your site’s pages. We recommend that you remove it as soon as possible. Until then, browsers such as Google Chrome will display a warning when users visit or download certain files from your site. Deceptive pages Description These pages attempt to trick users into doing something dangerous, such as installing unwanted software or revealing personal information.
What I have tried so far:
- tried adding _headers to the build folder : Ended up removing all css from my website. So I reverted it back
- tried adding netlify.toml file at the root of the app. But that did not seem to take any effect. Am I doing something wrong?
This is my content of netlify.toml file:
[[headers]] for = "/*" [headers.values] X-Frame-Options = "SAMEORIGIN" X-Content-Type-Options = "nosniff" X-XSS-Protection = "1; mode=block"
What Im using for testing:
Although it received a good rating but there were suggestions on improvements, particularly:
Missing security header for ClickJacking Protection. Alternatively, you can use Content-Security-Policy: frame-ancestors ‘none’.
Missing security header to prevent Content Type sniffing.
Missing Content-Security-Policy directive. We recommend to add the following CSP directives (you can use default-src if all values are the same): script-src, object-src, base-uri, frame-src