Clean up automated header generation

Author: dhogan8

.github/workflows/hugo.yml

@@ -19,6 +19,13 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - uses: actions/setup-node@v6
+        with:
+          node-version: '22.6'
+
+      - name: Install dependencies
+        run: npm ci
+
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # 3.0.0
         with:

.github/workflows/lint.yml

@@ -41,7 +41,7 @@ jobs:
 
       - uses: actions/setup-node@v6
         with:
-          node-version: '22'
+          node-version: '22.6'
 
       - name: Get cached dependencies
         uses: actions/cache@v4

.gitignore

@@ -7,3 +7,6 @@ resources/
 
 # Precious install
 local/
+
+# Cloudflare Pages headers
+static/_headers

.nvmrc

@@ -1 +1 @@
-v22
+v22.6.0

.stylelintrc.js renamed to .stylelintrc.cjs

@@ -101,37 +101,27 @@ hugo server
 npm run lint
 ```
 
-#### HTTP Headers Configuration
+#### Cloudflare Pages HTTP Headers Configuration
 
 The `static/_headers` file is automatically generated from
-`scripts/_headers.config.ts`. **Do not edit `static/_headers` directly** - your
-changes will be overwritten.
+`bin/_headers.config.ts`. **Do not edit `static/_headers` directly**.
 
 ##### Making Changes to Headers
 
-1. Edit `scripts/_headers.config.ts` (the source of truth with readable format
+1. Edit `bin/_headers.config.ts` (the source of truth with readable format
    and TypeScript type safety)
-2. Generate the headers file:
+2. Test your changes locally:
    ```sh
    npm run build:headers
    ```
-3. Commit both files - a git pre-commit hook will automatically regenerate
-   `static/_headers` when you modify `scripts/_headers.config.ts`
+3. Commit only `bin/_headers.config.ts` - the headers file is regenerated during
+   deployment
 
-##### Automatic Synchronization
+##### Build-Time Generation
 
-The files stay in sync automatically through:
-
-- **Pre-commit hook** - Regenerates `_headers` when `_headers.config.ts` changes
-- **Build process** - `build.sh` regenerates before deployment
-- **Manual generation** - Run `npm run build:headers` anytime
-
-The TypeScript config format provides:
-
-- Readable multi-line arrays for CSP directives
-- Native TypeScript type safety and IDE support
-- Easy-to-review diffs in pull requests
-- Zero dependencies for parsing
+The `static/_headers` file is generated during the build process via `build.sh`
+and is not committed to git. For local testing, you can manually generate it
+with `npm run build:headers`.
 
 ## Writing Blog Posts
 

README.md

@@ -0,0 +1,182 @@
+/**
+ * HTTP Headers Configuration for Cloudflare Pages
+ * This file is the source of truth for static/_headers generation
+ * Run: npm run build:headers
+ */
+
+interface HeadersConfig {
+  paths: Array<{
+    pattern: string;
+    headers: Record<string, string[] | Record<string, string[]>>;
+  }>;
+}
+
+const config: HeadersConfig = {
+  paths: [
+    {
+      pattern: '/*',
+      headers: {
+        'Content-Security-Policy': {
+          // Allow AJAX/fetch requests to status page, marketing site, HubSpot, and Google services
+          'connect-src': [
+            '\'self\'',
+            'https://status.maxmind.com',
+            'https://www.maxmind.com',
+            // HubSpot API endpoint
+            // https://legacydocs.hubspot.com/docs/faq/how-do-i-create-a-custom-domain-for-my-forms
+            'https://api.hubspot.com',
+            // HubSpot static assets used by conversations embed
+            // eslint-disable-next-line max-len
+            // https://developers.hubspot.com/beta-docs/guides/apps/authentication/working-with-oauth#frequently-asked-questions
+            'https://forms.hsforms.com',
+            'https://*.googleapis.com',
+            'https://*.google-analytics.com',
+            'https://*.analytics.google.com',
+            'https://*.googletagmanager.com',
+            'https://*.g.doubleclick.net',
+            // Google
+            // eslint-disable-next-line max-len
+            // https://developers.google.com/tag-platform/tag-manager/csp#google_analytics_4_google_analytics
+            'https://*.google.com',
+          ],
+          'default-src': [
+            '\'self\'',
+          ],
+          // Google Fonts and Vertex search (indirectly loaded when setting up the searchbox)
+          'font-src': [
+            '\'self\'',
+            'https://fonts.gstatic.com',
+          ],
+          'form-action': [
+            '\'self\'',
+          ],
+          'frame-ancestors': [
+            '\'self\'',
+          ],
+          // HubSpot calls-to-action (pop-ups) and chatflows
+          // eslint-disable-next-line max-len
+          // https://knowledge.hubspot.com/website-pages/use-hubspot-content-on-external-sites#calls-to-action
+          // Google Vertex search
+          'frame-src': [
+            '\'self\'',
+            'https://app.hubspot.com',
+            'https://www.google.com',
+            'https://www.googletagmanager.com',
+          ],
+          'img-src': [
+            '\'self\'',
+            'data:',
+            'https:',
+          ],
+          'object-src': [
+            '\'none\'',
+          ],
+          'script-src': [
+            '\'self\'',
+            '\'report-sample\'',
+            '\'unsafe-inline\'',
+            // HubSpot tracking code
+            // eslint-disable-next-line max-len
+            // https://developers.hubspot.com/beta-docs/guides/api/tracking-code-api/tracking-code-quickstart-guide#frequently-asked-questions
+            'https://js.hs-scripts.com',
+            // HubSpot analytics
+            // https://knowledge.hubspot.com/reports/install-the-hubspot-tracking-code
+            'https://js.hs-analytics.net',
+            // HubSpot cookie banner
+            // https://knowledge.hubspot.com/privacy-and-consent/add-a-cookie-banner-to-your-website
+            'https://js.hs-banner.com',
+            // HubSpot conversations (live chat widget, chat flow)
+            // https://knowledge.hubspot.com/chatflows/install-the-hubspot-tracking-code-for-chat
+            'https://js.usemessages.com',
+            // HubSpot form widgets
+            // https://legacydocs.hubspot.com/docs/methods/forms/advanced_form_options
+            'https://js.hsforms.net',
+            'https://www.maxmind.com',
+            // Google
+            // eslint-disable-next-line max-len
+            // https://developers.google.com/tag-platform/tag-manager/csp#google_analytics_4_google_analytics
+            'https://cloud.google.com',
+            'https://www.gstatic.com',
+            'https://www.googleadservices.com',
+            'https://www.google.com',
+            'https://*.googletagmanager.com',
+          ],
+          // Google Fonts API and Vertex search
+          // Google static assets
+          'style-src': [
+            '\'self\'',
+            '\'unsafe-inline\'',
+            'https://fonts.googleapis.com',
+            'https://www.gstatic.com',
+          ],
+        },
+        'Feature-Policy': [
+          'accelerometer \'none\'',
+          'autoplay \'none\'',
+          'camera \'none\'',
+          'encrypted-media \'none\'',
+          'fullscreen \'none\'',
+          'geolocation \'none\'',
+          'gyroscope \'none\'',
+          'magnetometer \'none\'',
+          'microphone \'none\'',
+          'midi \'none\'',
+          'payment \'none\'',
+          'picture-in-picture \'none\'',
+          'usb \'none\'',
+          'sync-xhr \'none\'',
+        ],
+        'Permissions-Policy': [
+          'accelerometer=()',
+          'ambient-light-sensor=()',
+          'autoplay=()',
+          'battery=()',
+          'camera=()',
+          'display-capture=()',
+          'document-domain=()',
+          'encrypted-media=()',
+          'execution-while-not-rendered=()',
+          'execution-while-out-of-viewport=()',
+          'fullscreen=()',
+          'gamepad=()',
+          'geolocation=()',
+          'gyroscope=()',
+          'hid=()',
+          'idle-detection=()',
+          'magnetometer=()',
+          'microphone=()',
+          'midi=()',
+          'payment=()',
+          'picture-in-picture=()',
+          'publickey-credentials-get=()',
+          'screen-wake-lock=()',
+          'serial=()',
+          'speaker-selection=()',
+          'usb=()',
+          'web-share=()',
+          'xr-spatial-tracking=()',
+        ],
+        'Referrer-Policy': [
+'strict-origin-when-cross-origin',
+],
+        'Strict-Transport-Security': [
+          'max-age=63072000',
+          'includeSubDomains',
+          'preload',
+        ],
+        'X-Content-Type-Options': [
+'nosniff',
+],
+        'X-Frame-Options': [
+'DENY',
+],
+        'X-XSS-Protection': [
+'1',
+'mode=block',
+],
+      },
+    },
+  ],
+};
+
+export default config;

bin/_headers.config.ts

@@ -0,0 +1,78 @@
+/**
+ * Generate static/_headers file from bin/_headers.config.ts
+ *
+ * This script converts a structured TypeScript configuration into the
+ * Cloudflare Pages _headers format.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+
+import config from './_headers.config.ts';
+
+interface PathConfig {
+  pattern: string;
+  headers: Record<string, string[] | Record<string, string[]>>;
+}
+
+/**
+ * Generate _headers file content from config
+ */
+function generateHeaders(config: { paths: PathConfig[] }): string {
+  let output = '';
+
+  // Add warning comment at the top
+  output += '# ⚠️  DO NOT EDIT THIS FILE DIRECTLY!\n';
+  output += '# This file is automatically generated from bin/_headers.config.ts\n';
+  output += '# To make changes, edit bin/_headers.config.ts and run: npm run build:headers\n';
+  output += '#\n';
+  output += '# See README.md for more information\n';
+  output += '\n';
+
+  for (const pathConfig of config.paths) {
+    // Write path pattern
+    output += pathConfig.pattern + '\n';
+
+    // Process all headers
+    for (const [
+header,
+value,
+] of Object.entries(pathConfig.headers)) {
+      if (typeof value === 'object' && !Array.isArray(value)) {
+        // CSP-style header with directives
+        const directives: string[] = [];
+        for (const [
+directive,
+sources,
+] of Object.entries(value)) {
+          directives.push(`${directive} ${sources.join(' ')}`);
+        }
+        output += `  ${header}: ${directives.join('; ')}\n`;
+      } else {
+        // Simple array-based header
+        output += `  ${header}: ${value.join(' ')}\n`;
+      }
+    }
+  }
+
+  return output;
+}
+
+// Main execution
+try {
+  const outputPath = path.join(process.cwd(), 'static', '_headers');
+
+  // Generate headers file
+  const headersContent = generateHeaders(config);
+
+  // Write output file
+  fs.writeFileSync(outputPath, headersContent);
+
+  console.log('✅ Generated static/_headers from bin/_headers.config.ts');
+} catch (error) {
+  console.error(
+    'Error generating headers file:',
+    error instanceof Error ? error.message : String(error)
+  );
+  process.exit(1);
+}

bin/generate-headers.ts

@@ -9,6 +9,6 @@ if [[ "${BUILD_ENV:-}" == "preview" ]]; then
 fi
 
 # Generate _headers file from TypeScript configuration
-npx tsx scripts/generate-headers.ts
+npm run build:headers
 
 hugo --gc --minify -b "$CF_PAGES_URL" "${extra_args[@]}"

build.sh

@@ -144,6 +144,9 @@ export default tseslint.config(
       quotes: [
         'warn',
         'single',
+        {
+          avoidEscape: true,
+        },
       ],
       semi: [
         1,