Create automation for easier to read CSP diffs

Author: dhogan8

README.md

@@ -85,6 +85,32 @@ when files change.
 hugo server
 ```
 
+### HTTP Headers Configuration
+
+The `static/_headers` file is **automatically generated** from
+`scripts/_headers.config.ts`. This automation makes Content Security Policy (CSP)
+diffs more readable in pull requests.
+
+#### ⚠️ Important
+
+**DO NOT edit `static/_headers` directly!** Your changes will be overwritten. Instead,
+edit `scripts/_headers.config.ts`.
+
+#### Making Changes to HTTP Headers
+
+1. Edit `scripts/_headers.config.ts` with your desired header changes
+2. Run `npm run build:headers` to regenerate `static/_headers`
+3. Commit both files together
+
+#### Automated Synchronization
+
+Headers are automatically regenerated in three ways:
+
+1. **Pre-commit hook**: When you commit changes to `scripts/_headers.config.ts`,
+   the hook automatically regenerates `static/_headers` and includes it in your commit
+2. **Build process**: The `build.sh` script regenerates headers before deployment
+3. **Manual generation**: Run `npm run build:headers` anytime
+
 ### Updating Release Notes for the New Year
 
 Whenever you create your first release note for a product category for a new

build.sh

@@ -2,4 +2,7 @@
 
 set -eu
 
+# Generate _headers file from TypeScript configuration
+npx tsx scripts/generate-headers.ts
+
 hugo --gc --minify -b "$CF_PAGES_URL"

git/hooks/pre-commit

@@ -24,4 +24,20 @@ function timed_run() {
     fi
 }
 
+# Regenerate static/_headers from _headers.config.ts if it changed
+if git diff --cached --name-only | grep -q "scripts/_headers.config.ts"; then
+  echo "Detected changes to scripts/_headers.config.ts, regenerating static/_headers..."
+  npx tsx scripts/generate-headers.ts
+  git add static/_headers
+  echo "✅ Updated static/_headers and added to commit"
+fi
+
+# Also regenerate if the generator script itself changed
+if git diff --cached --name-only | grep -q "scripts/generate-headers.ts"; then
+  echo "Detected changes to generator script, regenerating static/_headers..."
+  npx tsx scripts/generate-headers.ts
+  git add static/_headers
+  echo "✅ Updated static/_headers and added to commit"
+fi
+
 timed_run "precious lint" "precious lint --staged"

package.json

@@ -38,6 +38,7 @@
     "url": "https://github.com/maxmind/dev-site.git"
   },
   "scripts": {
+    "build:headers": "npx tsx scripts/generate-headers.ts",
     "fix": "run-p fix:*",
     "fix:scripts": "npm run lint:scripts --fix",
     "fix:styles": "npm run lint:styles --fix",

scripts/_headers.config.ts

@@ -0,0 +1,112 @@
+/**
+ * HTTP Headers Configuration for Cloudflare Pages
+ * This file is the source of truth for static/_headers generation
+ * Run: npm run build:headers
+ *
+ * Note: This file lives in scripts/ (not static/) to avoid deploying
+ * TypeScript source files to production.
+ */
+
+interface HeadersConfig {
+  paths: Array<{
+    pattern: string;
+    headers: Record<string, string | Record<string, string[]>>;
+  }>;
+}
+
+const config: HeadersConfig = {
+  paths: [
+    {
+      pattern: '/*',
+      headers: {
+        'Content-Security-Policy': {
+          'connect-src': [
+            '\'self\'',
+            'https://status.maxmind.com',
+            'https://www.maxmind.com',
+            'https://api.hubspot.com',
+            'https://static.hsappstatic.net',
+            'https://*.googleapis.com',
+            'https://*.google-analytics.com',
+            'https://*.analytics.google.com',
+            'https://*.googletagmanager.com',
+            'https://*.g.doubleclick.net',
+            'https://*.google.com',
+          ],
+          'default-src': [
+            '\'self\'',
+          ],
+          'font-src': [
+            '\'self\'',
+            'https://fonts.gstatic.com',
+          ],
+          'form-action': [
+            '\'self\'',
+          ],
+          'frame-ancestors': [
+            '\'self\'',
+          ],
+          'frame-src': [
+            '\'self\'',
+            'https://app.hubspot.com',
+            'https://www.google.com',
+            'https://www.googletagmanager.com',
+          ],
+          'img-src': [
+            '\'self\'',
+            'data:',
+            'https:',
+          ],
+          'object-src': [
+            '\'none\'',
+          ],
+          'script-src': [
+            '\'self\'',
+            '\'report-sample\'',
+            '\'unsafe-inline\'',
+            'https://js.hs-scripts.com',
+            'https://js.hs-analytics.net',
+            'https://js.hs-banner.com',
+            'https://js.usemessages.com',
+            'https://www.maxmind.com',
+            'https://cloud.google.com',
+            'https://www.gstatic.com',
+            'https://www.googleadservices.com',
+            'https://www.google.com',
+            'https://*.googletagmanager.com',
+          ],
+          'style-src': [
+            '\'self\'',
+            '\'unsafe-inline\'',
+            'https://fonts.googleapis.com',
+            'https://www.gstatic.com',
+          ],
+        },
+        'Feature-Policy':
+          'accelerometer \'none\'; autoplay \'none\'; camera \'none\'; ' +
+          'encrypted-media \'none\'; fullscreen \'none\'; geolocation \'none\'; ' +
+          'gyroscope \'none\'; magnetometer \'none\'; microphone \'none\'; ' +
+          'midi \'none\'; payment \'none\'; picture-in-picture \'none\'; ' +
+          'usb \'none\'; sync-xhr \'none\'',
+        'Permissions-Policy':
+          'accelerometer=(), ambient-light-sensor=(), autoplay=(), ' +
+          'battery=(), camera=(), display-capture=(), document-domain=(), ' +
+          'encrypted-media=(), execution-while-not-rendered=(), ' +
+          'execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), ' +
+          'geolocation=(), gyroscope=(), hid=(), idle-detection=(), ' +
+          'magnetometer=(), microphone=(), midi=(), payment=(), ' +
+          'picture-in-picture=(), publickey-credentials-get=(), ' +
+          'screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), ' +
+          'web-share=(), xr-spatial-tracking=()',
+        'Referrer-Policy': 'strict-origin-when-cross-origin',
+        'Strict-Transport-Security':
+          'max-age=63072000; includeSubDomains; preload',
+        'X-Content-Type-Options': 'nosniff',
+        'X-Frame-Options': 'DENY',
+        'X-XSS-Protection': '1; mode=block',
+      },
+    },
+  ],
+};
+
+export default config;

scripts/generate-headers.ts

@@ -0,0 +1,93 @@
+#!/usr/bin/env node
+
+/**
+ * Generate static/_headers file from scripts/_headers.config.ts
+ *
+ * This script converts a structured TypeScript configuration into the
+ * Cloudflare Pages _headers format.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+
+import config from './_headers.config.js';
+
+interface PathConfig {
+  pattern: string;
+  headers: Record<string, string | Record<string, string | string[]>>;
+}
+
+/**
+ * Generate _headers file content from config
+ */
+function generateHeaders(
+  config: { paths: PathConfig[] }
+): string {
+  let output = '';
+
+  // Add warning comment at the top
+  output += '# ⚠️  DO NOT EDIT THIS FILE DIRECTLY!\n';
+  output += '# This file is automatically generated from scripts/_headers.config.ts\n';
+  output += '# To make changes, edit scripts/_headers.config.ts and run: npm run build:headers\n';
+  output += '#\n';
+  output += '# See README.md for more information\n';
+  output += '\n';
+
+  for (const pathConfig of config.paths) {
+    // Write path pattern
+    output += pathConfig.pattern + '\n';
+
+    // Process CSP first if it exists
+    if (pathConfig.headers['Content-Security-Policy']) {
+      const csp = pathConfig.headers['Content-Security-Policy'] as Record<
+        string,
+        string | string[]
+      >;
+      const directives: string[] = [];
+
+      for (const [
+        directive,
+        sources,
+      ] of Object.entries(csp)) {
+        if (Array.isArray(sources)) {
+          directives.push(`${directive} ${sources.join(' ')}`);
+        } else {
+          directives.push(`${directive} ${sources}`);
+        }
+      }
+
+      output += `  Content-Security-Policy: ${directives.join('; ')}\n`;
+    }
+
+    // Process other headers
+    for (const [
+      header,
+      value,
+    ] of Object.entries(pathConfig.headers)) {
+      if (header === 'Content-Security-Policy') continue;
+
+      output += `  ${header}: ${value}\n`;
+    }
+  }
+
+  return output;
+}
+
+// Main execution
+try {
+  const outputPath = path.join(process.cwd(), 'static', '_headers');
+
+  // Generate headers file
+  const headersContent = generateHeaders(config);
+
+  // Write output file
+  fs.writeFileSync(outputPath, headersContent);
+
+  console.log('✅ Generated static/_headers from scripts/_headers.config.ts');
+} catch (error) {
+  console.error(
+    'Error generating headers file:',
+    error instanceof Error ? error.message : String(error)
+  );
+  process.exit(1);
+}

static/_headers

@@ -1,5 +1,11 @@
+# ⚠️  DO NOT EDIT THIS FILE DIRECTLY!
+# This file is automatically generated from scripts/_headers.config.ts
+# To make changes, edit scripts/_headers.config.ts and run: npm run build:headers
+#
+# See README.md for more information
+
 /*
-  Content-Security-Policy: connect-src 'self' https://status.maxmind.com https://www.maxmind.com https://api.hubspot.com https://static.hsappstatic.net https://*.googleapis.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com; default-src 'self'; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://app.hubspot.com https://www.google.com https://www.googletagmanager.com; img-src 'self' data: https:; object-src 'none'; script-src 'self' 'report-sample' 'unsafe-inline'  https://js.hs-scripts.com https://js.hs-analytics.net https://js.hs-banner.com https://js.usemessages.com https://www.maxmind.com https://cloud.google.com https://www.gstatic.com https://www.googleadservices.com https://www.google.com https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com
+  Content-Security-Policy: connect-src 'self' https://status.maxmind.com https://www.maxmind.com https://api.hubspot.com https://static.hsappstatic.net https://*.googleapis.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com; default-src 'self'; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'self'; frame-src 'self' https://app.hubspot.com https://www.google.com https://www.googletagmanager.com; img-src 'self' data: https:; object-src 'none'; script-src 'self' 'report-sample' 'unsafe-inline' https://js.hs-scripts.com https://js.hs-analytics.net https://js.hs-banner.com https://js.usemessages.com https://www.maxmind.com https://cloud.google.com https://www.gstatic.com https://www.googleadservices.com https://www.google.com https://*.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com
   Feature-Policy: accelerometer 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; usb 'none'; sync-xhr 'none'
   Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), web-share=(), xr-spatial-tracking=()
   Referrer-Policy: strict-origin-when-cross-origin

tsconfig.json

@@ -13,5 +13,5 @@
     "public",
     ".cache"
   ],
-  "include": ["./assets/js/**/*", "./bin/**/*.ts"]
+  "include": ["./assets/js/**/*", "./bin/**/*.ts", "./scripts/**/*.ts"]
 }