Skip to content

Commit c447250

Browse files
dhogan8dhogan8
committed
Clean up scripts
1 parent 9d571f3 commit c447250

File tree

2 files changed

+92
-71
lines changed

2 files changed

+92
-71
lines changed

bin/_headers.config.ts

Lines changed: 86 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -17,114 +17,135 @@ const config: HeadersConfig = {
1717
pattern: '/*',
1818
headers: {
1919
'Content-Security-Policy': {
20-
// Allow AJAX/fetch requests to status page, marketing site, HubSpot, and Google services
2120
'connect-src': [
22-
'\'self\'',
21+
"'self'",
2322
'https://status.maxmind.com',
2423
'https://www.maxmind.com',
25-
// HubSpot API endpoint
26-
// https://legacydocs.hubspot.com/docs/faq/how-do-i-create-a-custom-domain-for-my-forms
27-
'https://api.hubspot.com',
28-
// HubSpot static assets used by conversations embed
24+
2925
// eslint-disable-next-line max-len
30-
// https://developers.hubspot.com/beta-docs/guides/apps/authentication/working-with-oauth#frequently-asked-questions
26+
// https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
27+
28+
// HubSpot API
29+
'https://api.hubspot.com',
30+
31+
// HubSpot static assets (conversations embed)
3132
'https://forms.hsforms.com',
33+
3234
'https://*.googleapis.com',
35+
36+
// eslint-disable-next-line max-len
37+
// https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
3338
'https://*.google-analytics.com',
3439
'https://*.analytics.google.com',
3540
'https://*.googletagmanager.com',
41+
42+
// https://developers.google.com/tag-platform/security/guides/csp#google_ads
3643
'https://*.g.doubleclick.net',
37-
// Google
38-
// eslint-disable-next-line max-len
39-
// https://developers.google.com/tag-platform/tag-manager/csp#google_analytics_4_google_analytics
44+
45+
// Google domains (various TLDs for international support)
4046
'https://*.google.com',
4147
],
4248
'default-src': [
43-
'\'self\'',
49+
"'self'",
4450
],
45-
// Google Fonts and Vertex search (indirectly loaded when setting up the searchbox)
4651
'font-src': [
47-
'\'self\'',
52+
"'self'",
53+
54+
// Loaded indirectly by Google Vertex search
4855
'https://fonts.gstatic.com',
4956
],
5057
'form-action': [
51-
'\'self\'',
58+
"'self'",
5259
],
5360
'frame-ancestors': [
54-
'\'self\'',
61+
"'self'",
5562
],
56-
// HubSpot calls-to-action (pop-ups) and chatflows
57-
// eslint-disable-next-line max-len
58-
// https://knowledge.hubspot.com/website-pages/use-hubspot-content-on-external-sites#calls-to-action
59-
// Google Vertex search
6063
'frame-src': [
61-
'\'self\'',
64+
"'self'",
65+
66+
// eslint-disable-next-line max-len
67+
// https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
68+
69+
// HubSpot calls-to-action (pop-ups) and chatflows
6270
'https://app.hubspot.com',
63-
'https://www.google.com',
71+
72+
// https://developers.google.com/tag-platform/security/guides/csp#google_ads
6473
'https://www.googletagmanager.com',
74+
75+
// Google Vertex search
76+
'https://www.google.com',
6577
],
6678
'img-src': [
67-
'\'self\'',
79+
"'self'",
6880
'data:',
6981
'https:',
7082
],
7183
'object-src': [
72-
'\'none\'',
84+
"'none'",
7385
],
7486
'script-src': [
75-
'\'self\'',
76-
'\'report-sample\'',
77-
'\'unsafe-inline\'',
78-
// HubSpot tracking code
87+
"'self'",
88+
"'report-sample'",
89+
"'unsafe-inline'",
90+
7991
// eslint-disable-next-line max-len
80-
// https://developers.hubspot.com/beta-docs/guides/api/tracking-code-api/tracking-code-quickstart-guide#frequently-asked-questions
92+
// https://knowledge.hubspot.com/domains-and-urls/ssl-and-domain-security-in-hubspot#content-security-policy
93+
94+
// HubSpot tracking code
8195
'https://js.hs-scripts.com',
82-
// HubSpot analytics
83-
// https://knowledge.hubspot.com/reports/install-the-hubspot-tracking-code
96+
97+
// HubSpot Analytics
8498
'https://js.hs-analytics.net',
99+
85100
// HubSpot cookie banner
86-
// https://knowledge.hubspot.com/privacy-and-consent/add-a-cookie-banner-to-your-website
87101
'https://js.hs-banner.com',
88-
// HubSpot conversations (live chat widget, chat flow)
89-
// https://knowledge.hubspot.com/chatflows/install-the-hubspot-tracking-code-for-chat
102+
103+
// HubSpot Conversations and Chatflows
90104
'https://js.usemessages.com',
91-
// HubSpot form widgets
92-
// https://legacydocs.hubspot.com/docs/methods/forms/advanced_form_options
105+
106+
// HubSpot forms
93107
'https://js.hsforms.net',
108+
109+
// MaxMind marketing site
94110
'https://www.maxmind.com',
95-
// Google
96-
// eslint-disable-next-line max-len
97-
// https://developers.google.com/tag-platform/tag-manager/csp#google_analytics_4_google_analytics
111+
112+
// Google Vertex search
98113
'https://cloud.google.com',
99114
'https://www.gstatic.com',
115+
116+
// https://developers.google.com/tag-platform/security/guides/csp#google_ads_conversions
100117
'https://www.googleadservices.com',
101118
'https://www.google.com',
119+
120+
// Google Tag Manager
102121
'https://*.googletagmanager.com',
103122
],
104-
// Google Fonts API and Vertex search
105-
// Google static assets
106123
'style-src': [
107-
'\'self\'',
108-
'\'unsafe-inline\'',
124+
"'self'",
125+
"'unsafe-inline'",
126+
127+
// Google Fonts API and Vertex search default styles
109128
'https://fonts.googleapis.com',
129+
130+
// Google static assets
110131
'https://www.gstatic.com',
111132
],
112133
},
113134
'Feature-Policy': [
114-
'accelerometer \'none\'',
115-
'autoplay \'none\'',
116-
'camera \'none\'',
117-
'encrypted-media \'none\'',
118-
'fullscreen \'none\'',
119-
'geolocation \'none\'',
120-
'gyroscope \'none\'',
121-
'magnetometer \'none\'',
122-
'microphone \'none\'',
123-
'midi \'none\'',
124-
'payment \'none\'',
125-
'picture-in-picture \'none\'',
126-
'usb \'none\'',
127-
'sync-xhr \'none\'',
135+
"accelerometer 'none'",
136+
"autoplay 'none'",
137+
"camera 'none'",
138+
"encrypted-media 'none'",
139+
"fullscreen 'none'",
140+
"geolocation 'none'",
141+
"gyroscope 'none'",
142+
"magnetometer 'none'",
143+
"microphone 'none'",
144+
"midi 'none'",
145+
"payment 'none'",
146+
"picture-in-picture 'none'",
147+
"usb 'none'",
148+
"sync-xhr 'none'",
128149
],
129150
'Permissions-Policy': [
130151
'accelerometer=()',
@@ -157,23 +178,23 @@ const config: HeadersConfig = {
157178
'xr-spatial-tracking=()',
158179
],
159180
'Referrer-Policy': [
160-
'strict-origin-when-cross-origin',
161-
],
181+
'strict-origin-when-cross-origin',
182+
],
162183
'Strict-Transport-Security': [
163184
'max-age=63072000',
164185
'includeSubDomains',
165186
'preload',
166187
],
167188
'X-Content-Type-Options': [
168-
'nosniff',
169-
],
189+
'nosniff',
190+
],
170191
'X-Frame-Options': [
171-
'DENY',
172-
],
192+
'DENY',
193+
],
173194
'X-XSS-Protection': [
174-
'1',
175-
'mode=block',
176-
],
195+
'1',
196+
'mode=block',
197+
],
177198
},
178199
},
179200
],

bin/generate-headers.ts

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -35,16 +35,16 @@ function generateHeaders(config: { paths: PathConfig[] }): string {
3535

3636
// Process all headers
3737
for (const [
38-
header,
39-
value,
40-
] of Object.entries(pathConfig.headers)) {
38+
header,
39+
value,
40+
] of Object.entries(pathConfig.headers)) {
4141
if (typeof value === 'object' && !Array.isArray(value)) {
4242
// CSP-style header with directives
4343
const directives: string[] = [];
4444
for (const [
45-
directive,
46-
sources,
47-
] of Object.entries(value)) {
45+
directive,
46+
sources,
47+
] of Object.entries(value)) {
4848
directives.push(`${directive} ${sources.join(' ')}`);
4949
}
5050
output += ` ${header}: ${directives.join('; ')}\n`;

0 commit comments

Comments
 (0)