From d146bf65902fdb97989cc7fcb0314bc6b1496d9a Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Tue, 29 Mar 2022 14:47:16 +0100
Subject: [PATCH] Configure response headers for Hugo dev server

make the dev server serve response headers which match the live site, for
better testing.
---
 .github/_typos.toml |  2 +-
 config.toml         | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/_typos.toml b/.github/_typos.toml
index 4aff005f..e48ab53c 100644
--- a/.github/_typos.toml
+++ b/.github/_typos.toml
@@ -1,5 +1,5 @@
 [files]
-extend-exclude = ["/themes", "/attic", "/data-definitions", "*.css", "package-lock.json"]
+extend-exclude = ["/themes", "/attic", "/data-definitions", "*.css", "syntax.scss", "package-lock.json"]
 
 [default]
 check-filename = true
diff --git a/config.toml b/config.toml
index a3d1644c..eabc50e2 100644
--- a/config.toml
+++ b/config.toml
@@ -88,3 +88,19 @@ rendered_data_collapsed = false
 	url = "https://twitter.com/matrixdotorg"
 	icon = "fab fa-twitter"
   desc = "Matrix on Twitter"
+
+
+# configuration for the hugo development server
+[server]
+
+# set HTTP response headers to match the production site. Compare the Apache config for `spec.matrix.org`.
+[[server.headers]]
+  for = '/**'
+  [server.headers.values]
+    Content-Security-Policy = "default-src 'self'; style-src 'self'; script-src 'self'; img-src 'self' data:; connect-src 'self'; font-src 'self' data:; media-src 'self'; child-src 'self'; form-action 'self'; object-src 'self'"
+    X-XSS-Protection = "1; mode=block"
+    X-Content-Type-Options = "nosniff"
+    # Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
+    X-Frame-Options = "sameorigin"
+    Access-Control-Allow-Origin = "*"
+    Access-Control-Allow-Methods = "GET"