-
Notifications
You must be signed in to change notification settings - Fork 48
Expand file tree
/
Copy path_headers
More file actions
164 lines (139 loc) · 7.97 KB
/
Copy path_headers
File metadata and controls
164 lines (139 loc) · 7.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# Cloudflare Pages — response headers
# Spec reference: https://specification.website/spec/security/
#
# Strong defaults across the whole site. Tighten per-path as needed.
#
# CSP script-src hashes:
# sha256-N74A… — dark-mode init inline script (also sets the theme-color meta)
# sha256-UU9x… — speculationrules block in BaseLayout.astro (keep
# 'inline-speculation-rules' too; the hash is the fallback for
# contexts where Chrome ignores that keyword). Recompute the hash
# if those rules change.
# sha256-8wqC… — the inline <script type="importmap"> in BaseLayout.astro
# that pins pagefind.js (src/lib/integrity.ts). Recompute if the import
# map serialisation or the pagefind.js hash changes.
#
# Plausible is self-hosted at /js/plausible.js (a frozen copy of
# plausible.io/js/script.js, refreshed daily by
# .github/workflows/refresh-plausible.yml) and pinned with an SRI hash
# computed at build time (src/lib/integrity.ts). That is why script-src is
# 'self' with no plausible.io — only the events endpoint stays in connect-src.
#
# Integrity-Policy-Report-Only: every first-party script now carries an SRI
# `integrity` attribute (src/lib/integrity.ts, the pagefind*/webmcp hashes, and
# the admin-stats.js literal), so this report-only policy should fire *no*
# violations in normal browsing — it is a regression tripwire: a report to
# /reports means a script shipped without integrity. Flip to enforcing
# `Integrity-Policy` once the /reports stream confirms a clean run. Worked
# example for /spec/security/subresource-integrity/.
/*
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()
Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' 'sha256-N74AzU+1FxvXAWIxrP2zNCBUxV949ZHOXXqjTvbusx0=' 'sha256-UU9xsfeOKmx3D7Lk33alkWn1rIjk46pD684u4pupy4o=' 'sha256-8wqCJSSabgg10EbyE8Gnnwc8zsNpWH4v1wi4+NcyfRI='; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://plausible.io; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; object-src 'none'; report-to csp-endpoint; upgrade-insecure-requests
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; trusted-types default dompurify; report-to csp-endpoint
Integrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(integrity-endpoint)
Reporting-Endpoints: csp-endpoint="/reports", default="/reports", integrity-endpoint="/reports"
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-site
X-Frame-Options: DENY
No-Vary-Search: params=("utm_source" "utm_medium" "utm_campaign" "utm_content" "utm_term" "gclid" "fbclid" "msclkid" "mc_cid" "mc_eid" "ref"), key-order
Link: </llms.txt>; rel="describedby"; type="text/markdown"; title="Site index for LLMs", </llms-full.txt>; rel="alternate"; type="text/markdown"; title="Full content as Markdown", </.well-known/api-catalog>; rel="api-catalog"; type="application/linkset+json", </.well-known/mcp/server-card.json>; rel="mcp"; type="application/json"; title="MCP server card", <https://mcp.specification.website/mcp>; rel="related"; title="MCP endpoint", </.well-known/agent-card.json>; rel="service-desc"; type="application/json"; title="A2A agent card", <https://mcp.specification.website/a2a/v1>; rel="related"; title="A2A endpoint", </.well-known/agent-skills/index.json>; rel="agent-skills"; type="application/json"; title="Agent Skills discovery index", </.well-known/ai-catalog.json>; rel="ai-catalog"; type="application/ai-catalog+json"; title="Agentic Resource Discovery catalog", </sitemap-index.xml>; rel="sitemap"; type="application/xml", </rss.xml>; rel="alternate"; type="application/rss+xml"; title="Feed of spec changes", </changelog/rss.xml>; rel="alternate"; type="application/rss+xml"; title="Changelog feed", </.well-known/security.txt>; rel="security"; type="text/plain"
# Self-hosted Plausible tracker. Not fingerprinted and refreshed in place by
# the daily job, so keep the cache short: the HTML's SRI hash updates in the
# same deploy, and a long-lived stale copy would fail the integrity check.
/js/plausible.js
Content-Type: text/javascript; charset=utf-8
Cache-Control: public, max-age=600, must-revalidate
# Long cache for fingerprinted assets
/_astro/*
Cache-Control: public, max-age=31536000, immutable
/fonts/*
Cache-Control: public, max-age=31536000, immutable
# Well-known files served with the right type
/.well-known/security.txt
Content-Type: text/plain; charset=utf-8
Cache-Control: public, max-age=3600
/llms.txt
Content-Type: text/plain; charset=utf-8
/llms-full.txt
Content-Type: text/plain; charset=utf-8
/robots.txt
Content-Type: text/plain; charset=utf-8
/humans.txt
Content-Type: text/plain; charset=utf-8
# Per-page Markdown source served from /spec/<category>/<slug>.md
/spec/*.md
Content-Type: text/markdown; charset=utf-8
Cache-Control: public, max-age=3600, stale-if-error=86400
# Checklist as a copy-and-paste Markdown task list
/checklist.md
Content-Type: text/markdown; charset=utf-8
Cache-Control: public, max-age=3600, stale-if-error=86400
# OKF bundle — Markdown concept tree served as text/markdown
/okf/*
Content-Type: text/markdown; charset=utf-8
Cache-Control: public, max-age=3600, stale-if-error=86400
Access-Control-Allow-Origin: *
# OKF bundle — packaged gzipped tar of the whole tree
/okf.tar.gz
Content-Type: application/gzip
Cache-Control: public, max-age=3600, stale-if-error=86400
Access-Control-Allow-Origin: *
# Per-page JSON-LD graph served from /spec/<category>/<slug>.jsonld
/spec/*.jsonld
Content-Type: application/ld+json; charset=utf-8
Cache-Control: public, max-age=3600, stale-if-error=86400
Access-Control-Allow-Origin: *
# Schemamap index — JSON-LD discovery for the whole site
/schemamap.xml
Content-Type: application/xml; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *
# XML sitemaps — index + per-category + general pages
/sitemap-*.xml
Content-Type: application/xml; charset=utf-8
Cache-Control: public, max-age=3600, stale-if-error=86400
# Sitemap XSL stylesheet — styles the XML when viewed in a browser
/sitemap.xsl
Content-Type: application/xslt+xml; charset=utf-8
Cache-Control: public, max-age=3600
# RFC 9727 — Publishing Organisation API Information
/.well-known/api-catalog
Content-Type: application/linkset+json; charset=utf-8
Cache-Control: public, max-age=3600
# MCP server card discovery
/.well-known/mcp/server-card.json
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *
# A2A agent card discovery (a2a-protocol.org)
/.well-known/agent-card.json
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *
# Agent Skills Discovery (RFC v0.2.0)
/.well-known/agent-skills/index.json
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *
# Glama MCP connector ownership claim (glama.ai)
/.well-known/glama.json
Content-Type: application/json; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *
# Agentic Resource Discovery (ARD) — AI Catalog manifest
/.well-known/ai-catalog.json
Content-Type: application/ai-catalog+json; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *
# JWK Set — public key for verifying the AI Catalog trustManifest signature
/.well-known/jwks.json
Content-Type: application/jwk-set+json; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *
/.well-known/agent-skills/*/SKILL.md
Content-Type: text/markdown; charset=utf-8
Cache-Control: public, max-age=3600
Access-Control-Allow-Origin: *