Use backticks and arrays

Author: dhogan8

bin/_headers.config.ts

@@ -7,7 +7,7 @@
 interface HeadersConfig {
   paths: Array<{
     pattern: string;
-    headers: Record<string, string | Record<string, string[]>>;
+    headers: Record<string, string[] | Record<string, string[]>>;
   }>;
 }
 
@@ -17,8 +17,10 @@ const config: HeadersConfig = {
       pattern: '/*',
       headers: {
         'Content-Security-Policy': {
+          // Allow AJAX/fetch requests to status page, marketing site, HubSpot,
+          // and Google services for analytics and tag management
           'connect-src': [
-            '\'self\'',
+            "'self'",
             'https://status.maxmind.com',
             'https://www.maxmind.com',
             'https://api.hubspot.com',
@@ -30,37 +32,32 @@ const config: HeadersConfig = {
             'https://*.g.doubleclick.net',
             'https://*.google.com',
           ],
-          'default-src': [
-            '\'self\'',
-          ],
-          'font-src': [
-            '\'self\'',
-            'https://fonts.gstatic.com',
-          ],
-          'form-action': [
-            '\'self\'',
-          ],
-          'frame-ancestors': [
-            '\'self\'',
-          ],
+          // Fallback for resources not covered by other directives
+          'default-src': ["'self'"],
+          // Allow fonts from our site and Google Fonts
+          'font-src': ["'self'", 'https://fonts.gstatic.com'],
+          // Only allow form submissions to our own domain
+          'form-action': ["'self'"],
+          // Prevent this site from being embedded in iframes on other domains
+          'frame-ancestors': ["'self'"],
+          // Allow embedding content from HubSpot and Google services
           'frame-src': [
-            '\'self\'',
+            "'self'",
             'https://app.hubspot.com',
             'https://www.google.com',
             'https://www.googletagmanager.com',
           ],
-          'img-src': [
-            '\'self\'',
-            'data:',
-            'https:',
-          ],
-          'object-src': [
-            '\'none\'',
-          ],
+          // Allow images from our site, data URIs, and any HTTPS source
+          'img-src': ["'self'", 'data:', 'https:'],
+          // Block all plugins (Flash, Java, etc.)
+          'object-src': ["'none'"],
+          // Allow scripts from our site, HubSpot, Google services, and inline scripts
+          // 'unsafe-inline' needed for HubSpot and Google Tag Manager
+          // 'report-sample' includes script sample in violation reports
           'script-src': [
-            '\'self\'',
-            '\'report-sample\'',
-            '\'unsafe-inline\'',
+            "'self'",
+            "'report-sample'",
+            "'unsafe-inline'",
             'https://js.hs-scripts.com',
             'https://js.hs-analytics.net',
             'https://js.hs-banner.com',
@@ -72,35 +69,70 @@ const config: HeadersConfig = {
             'https://www.google.com',
             'https://*.googletagmanager.com',
           ],
+          // Allow styles from our site, Google Fonts, and inline styles
+          // 'unsafe-inline' needed for dynamic styling
           'style-src': [
-            '\'self\'',
-            '\'unsafe-inline\'',
+            "'self'",
+            "'unsafe-inline'",
             'https://fonts.googleapis.com',
             'https://www.gstatic.com',
           ],
         },
-        'Feature-Policy':
-          'accelerometer \'none\'; autoplay \'none\'; camera \'none\'; ' +
-          'encrypted-media \'none\'; fullscreen \'none\'; geolocation \'none\'; ' +
-          'gyroscope \'none\'; magnetometer \'none\'; microphone \'none\'; ' +
-          'midi \'none\'; payment \'none\'; picture-in-picture \'none\'; ' +
-          'usb \'none\'; sync-xhr \'none\'',
-        'Permissions-Policy':
-          'accelerometer=(), ambient-light-sensor=(), autoplay=(), ' +
-          'battery=(), camera=(), display-capture=(), document-domain=(), ' +
-          'encrypted-media=(), execution-while-not-rendered=(), ' +
-          'execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), ' +
-          'geolocation=(), gyroscope=(), hid=(), idle-detection=(), ' +
-          'magnetometer=(), microphone=(), midi=(), payment=(), ' +
-          'picture-in-picture=(), publickey-credentials-get=(), ' +
-          'screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), ' +
-          'web-share=(), xr-spatial-tracking=()',
-        'Referrer-Policy': 'strict-origin-when-cross-origin',
-        'Strict-Transport-Security':
-          'max-age=63072000; includeSubDomains; preload',
-        'X-Content-Type-Options': 'nosniff',
-        'X-Frame-Options': 'DENY',
-        'X-XSS-Protection': '1; mode=block',
+        'Feature-Policy': [
+          "accelerometer 'none'",
+          "autoplay 'none'",
+          "camera 'none'",
+          "encrypted-media 'none'",
+          "fullscreen 'none'",
+          "geolocation 'none'",
+          "gyroscope 'none'",
+          "magnetometer 'none'",
+          "microphone 'none'",
+          "midi 'none'",
+          "payment 'none'",
+          "picture-in-picture 'none'",
+          "usb 'none'",
+          "sync-xhr 'none'",
+        ],
+        'Permissions-Policy': [
+          'accelerometer=()',
+          'ambient-light-sensor=()',
+          'autoplay=()',
+          'battery=()',
+          'camera=()',
+          'display-capture=()',
+          'document-domain=()',
+          'encrypted-media=()',
+          'execution-while-not-rendered=()',
+          'execution-while-out-of-viewport=()',
+          'fullscreen=()',
+          'gamepad=()',
+          'geolocation=()',
+          'gyroscope=()',
+          'hid=()',
+          'idle-detection=()',
+          'magnetometer=()',
+          'microphone=()',
+          'midi=()',
+          'payment=()',
+          'picture-in-picture=()',
+          'publickey-credentials-get=()',
+          'screen-wake-lock=()',
+          'serial=()',
+          'speaker-selection=()',
+          'usb=()',
+          'web-share=()',
+          'xr-spatial-tracking=()',
+        ],
+        'Referrer-Policy': ['strict-origin-when-cross-origin'],
+        'Strict-Transport-Security': [
+          'max-age=63072000',
+          'includeSubDomains',
+          'preload',
+        ],
+        'X-Content-Type-Options': ['nosniff'],
+        'X-Frame-Options': ['DENY'],
+        'X-XSS-Protection': ['1', 'mode=block'],
       },
     },
   ],

bin/generate-headers.ts

@@ -12,21 +12,21 @@ import config from './_headers.config.ts';
 
 interface PathConfig {
   pattern: string;
-  headers: Record<string, string | Record<string, string | string[]>>;
+  headers: Record<string, string[] | Record<string, string[]>>;
 }
 
 /**
  * Generate _headers file content from config
  */
-function generateHeaders(
-  config: { paths: PathConfig[] }
-): string {
+function generateHeaders(config: { paths: PathConfig[] }): string {
   let output = '';
 
   // Add warning comment at the top
   output += '# ⚠️  DO NOT EDIT THIS FILE DIRECTLY!\n';
-  output += '# This file is automatically generated from bin/_headers.config.ts\n';
-  output += '# To make changes, edit bin/_headers.config.ts and run: npm run build:headers\n';
+  output +=
+    '# This file is automatically generated from bin/_headers.config.ts\n';
+  output +=
+    '# To make changes, edit bin/_headers.config.ts and run: npm run build:headers\n';
   output += '#\n';
   output += '# See README.md for more information\n';
   output += '\n';
@@ -35,36 +35,25 @@ function generateHeaders(
     // Write path pattern
     output += pathConfig.pattern + '\n';
 
-    // Process CSP first if it exists
-    if (pathConfig.headers['Content-Security-Policy']) {
-      const csp = pathConfig.headers['Content-Security-Policy'] as Record<
-        string,
-        string | string[]
-      >;
-      const directives: string[] = [];
+    // Process all headers
+    for (const [header, value] of Object.entries(pathConfig.headers)) {
+      // Handle Content-Security-Policy (nested object)
+      if (header === 'Content-Security-Policy') {
+        const csp = value as Record<string, string[]>;
+        const directives: string[] = [];
 
-      for (const [
-        directive,
-        sources,
-      ] of Object.entries(csp)) {
-        if (Array.isArray(sources)) {
+        for (const [directive, sources] of Object.entries(csp)) {
           directives.push(`${directive} ${sources.join(' ')}`);
-        } else {
-          directives.push(`${directive} ${sources}`);
         }
-      }
-
-      output += `  Content-Security-Policy: ${directives.join('; ')}\n`;
-    }
 
-    // Process other headers
-    for (const [
-      header,
-      value,
-    ] of Object.entries(pathConfig.headers)) {
-      if (header === 'Content-Security-Policy') continue;
+        output += `  Content-Security-Policy: ${directives.join('; ')}\n`;
+        continue;
+      }
 
-      output += `  ${header}: ${value}\n`;
+      // Handle all other headers (arrays)
+      const values = value as string[];
+      const separator = header === 'Permissions-Policy' ? ', ' : '; ';
+      output += `  ${header}: ${values.join(separator)}\n`;
     }
   }
 

eslint.config.mjs

@@ -79,18 +79,6 @@ export default tseslint.config(
     },
 
     rules: {
-      'array-bracket-newline': [
-        'warn',
-        {
-          minItems: 1,
-          multiline: true,
-        },
-      ],
-
-      'array-element-newline': [
-        'warn',
-        'always',
-      ],
       'comma-dangle': [
         'warn',
         'always-multiline',
@@ -145,6 +133,9 @@ export default tseslint.config(
       quotes: [
         'warn',
         'single',
+        {
+          avoidEscape: true,
+        },
       ],
       semi: [
         1,