Headers Passthrough

[WiseGuru]

This is a site security issue; with Digital Gardens published as they are, there are no included security headers, and cross-site scripting is a real possibility.

As it is, sites like https://securityheaders.com and https://pentest-tools.com reveal the (admittedly low risk) lack of certain headers that would reduce the risk of phishing or XSS.

In Cloudflare, it's possible to manually add headers by modifying the .eleventy.js file to include eleventyConfig.addPassthroughCopy("src/site/_headers") and adding the file /src/site/_headers with the headers you want to add.

Vercel has some documentation regarding headers and adding them to projects, but I don't use Vercel, so I haven't gone through their process.

https://vercel.com/docs/edge-network/headers https://vercel.com/docs/projects/project-configuration#headers

I'm not sure if there's a clean way to add headers easily to any deployment, but it would be great if the default option was secure.

As a side note, I wasn't able to get CSP to work, I believe due to the amount of on-page scripting, but I was able to get the other headers in place without causing any apparent conflicts.

I'm happy to help test or troubleshoot!

[WiseGuru]

I should have RTFM; this page in your guide explains it. https://dg-docs.ole.dev/advanced/configure-build-pipeline/

Screenshot below of how the userSetup.js file needs to be modified to allow for header passthrough.