chore: tighten security headers (#3709)

kokrui · web-flow · commit ce120c288a90 · 2024-04-04T01:36:10.000+08:00
* Add HSTS header that includes subdomains
* Update Cache-Control settings to not cache at all
* Prevent rendering in (i)frames
diff --git a/website/vercel.json b/website/vercel.json
@@ -7,11 +7,19 @@
   },
   "headers": [
     {
-      "source": "/assets/(.*)",
+      "source": "/(.*)",
       "headers": [
+        {
+          "key": "Strict-Transport-Security",
+          "value": "max-age=63072000; includeSubDomains;"
+        },
         {
           "key": "Cache-Control",
-          "value": "public, max-age=31536000, immutable"
+          "value": "no-cache, no-store, must-revalidate"
+        },
+        {
+          "key": "X-Frame-Options",
+          "value": "DENY"
         }
       ]
     },

Original file line number	Diff line number	Diff line change
`@@ -7,11 +7,19 @@`
`7`	`7`	`},`
`8`	`8`	`"headers": [`
`9`	`9`	`{`
`10`		`- "source": "/assets/(.*)",`
	`10`	`+ "source": "/(.*)",`
`11`	`11`	`"headers": [`
	`12`	`+ {`
	`13`	`+ "key": "Strict-Transport-Security",`
	`14`	`+ "value": "max-age=63072000; includeSubDomains;"`
	`15`	`+ },`
`12`	`16`	`{`
`13`	`17`	`"key": "Cache-Control",`
`14`		`- "value": "public, max-age=31536000, immutable"`
	`18`	`+ "value": "no-cache, no-store, must-revalidate"`
	`19`	`+ },`
	`20`	`+ {`
	`21`	`+ "key": "X-Frame-Options",`
	`22`	`+ "value": "DENY"`
`15`	`23`	`}`
`16`	`24`	`]`
`17`	`25`	`},`