_headers for newbies

newschapmj1 · June 23, 2020, 5:38pm

my site jnchapmantest.tk

I looked at the _headers docs.

Is this valid for a _headers file?
I want the rule to apply to all .html files, I think.
I have a simple .html site deployed with github

I’m trying to comply with
https://infosec.mozilla.org/guidelines/web_security#x-frame-options
and get my score above D+.

Block site from being framed with X-Frame-Options and CSP

/*.html
Content-Security-Policy: frame-ancestors ‘none’
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors ‘self’
X-Frame-Options: SAMEORIGIN

Did you use the search before posting?
What about reading through our https://answers.netlify.com/search?q=common%20issue?

newschapmj1 · February 26, 2020, 9:21pm

/*
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff

This is a start. I think /* means apply the rules to all the files
Exactly 2 space indent for the 4 lines (not visible in this editor)

luke · February 27, 2020, 9:39am

Hi, @newschapmj1, and welcome to our Netlify community site.

The * rule matches anything and cannot be used to match a partial line. If you use *, the html cannot appear after it or the rule won’t work. So, this is allowed:

/*

While this is not:

/*.html

The header rule below would be applied to all files served by Netlify for this site:

/*
  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: no-referrer
  X-Content-Type-Options: nosniff

If there are other questions, please let us know.