# This should be used for docs also

#

# Script-src and most other CSP directives are set via SvelteKit's built-in

# hash mode (web-admin/svelte.config.js), which computes SHA-256 hashes of

# inline scripts at build time and injects them into a

# <meta http-equiv="Content-Security-Policy"> tag in each HTML page.

# This removes the need for 'unsafe-inline' in script-src.

#

# frame-ancestors cannot be set via <meta> and must remain in HTTP headers.

# It varies per route (main app restricts to same-origin; embed/share routes

# allow any HTTPS origin), so it is the only CSP directive kept here.

#

# Header accumulation: Netlify accumulates headers from all matching rules.

# Same-name headers from more specific paths override the broader path's value.

# The embed and share routes only need to override Content-Security-Policy;

# all other headers are inherited from the default "/*" rule.

# Default security headers for main application.

[[headers]]

for = "/*"

[headers.values]

Content-Security-Policy = "frame-ancestors 'self'"

Permissions-Policy = "geolocation=(),midi=(),sync-xhr=(self),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"

Referrer-Policy = "no-referrer"

X-Content-Type-Options = "nosniff"

Cross-Origin-Embedder-Policy = "credentialless"

Cross-Origin-Opener-Policy = "unsafe-none"

Cross-Origin-Resource-Policy = "cross-origin"

Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"

# Embed routes - allow framing from any HTTPS origin.

[[headers]]

for = "/-/embed/*"

[headers.values]

Content-Security-Policy = "frame-ancestors https:"

# Public share routes - allow framing from any HTTPS origin.

[[headers]]

for = "/*/-/share/*"

[headers.values]

Content-Security-Policy = "frame-ancestors https:"