Configure response headers for Hugo dev server

make the dev server serve response headers which match the live site, for better testing.
2026-03-23 19:44:09 +01:00 · 2022-03-29 14:47:16 +01:00 · 2022-03-29 14:47:16 +01:00 · d146bf6590
parent 084db37b09
commit d146bf6590
2 changed files with 17 additions and 1 deletions
--- a/.github/_typos.toml
+++ b/.github/_typos.toml
@ -1,5 +1,5 @@
 [files]
-extend-exclude = ["/themes", "/attic", "/data-definitions", "*.css", "package-lock.json"]
+extend-exclude = ["/themes", "/attic", "/data-definitions", "*.css", "syntax.scss", "package-lock.json"]

 [default]
 check-filename = true
--- a/config.toml
+++ b/config.toml
@ -88,3 +88,19 @@ rendered_data_collapsed = false
 	url = "https://twitter.com/matrixdotorg"
 	icon = "fab fa-twitter"
  desc = "Matrix on Twitter"
+
+
+# configuration for the hugo development server
+[server]
+
+# set HTTP response headers to match the production site. Compare the Apache config for `spec.matrix.org`.
+[[server.headers]]
+  for = '/**'
+  [server.headers.values]
+    Content-Security-Policy = "default-src 'self'; style-src 'self'; script-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self' data:; media-src 'self'; child-src 'self'; form-action 'self'; object-src 'self'"
+    X-XSS-Protection = "1; mode=block"
+    X-Content-Type-Options = "nosniff"
+    # Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
+    X-Frame-Options = "sameorigin"
+    Access-Control-Allow-Origin = "*"
+    Access-Control-Allow-Methods = "GET"