# Custom headers when serving docs through Amplify Hosting # # See: https://docs.aws.amazon.com/amplify/latest/userguide/custom-headers.html#setting-custom-headers customHeaders: - pattern: '**/*' headers: - key: 'Strict-Transport-Security' value: 'max-age=31536000; includeSubDomains' - key: 'X-Frame-Options' value: 'DENY' - key: 'X-XSS-Protection' value: '1; mode=block' - key: 'X-Content-Type-Options' value: 'nosniff' - key: 'Content-Security-Policy' value: "upgrade-insecure-requests; default-src 'none'; prefetch-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self' https://www.youtube-nocookie.com https://aws.demdex.net https://dpm.demdex.net; connect-src 'self' *.shortbread.aws.dev https://amazonwebservices.d2.sc.omtrdc.net https://aws.demdex.net https://dpm.demdex.net https://cm.everesttech.net https://a0.awsstatic.com/ https://d2c.aws.amazon.com https://vs.aws.amazon.com https://*.algolia.net https://*.algolianet.com *.amazonaws.com https://aws.amazon.com/ https://d2c-alpha.dse.marketing.aws.a2z.com https://aws-mktg-csds-alpha.integ.amazon.com/ https://alpha.d2c.marketing.aws.dev/ https://aa0.awsstatic.com/; img-src 'self' https://img.shields.io https://amazonwebservices.d2.sc.omtrdc.net https://aws.demdex.net https://dpm.demdex.net https://cm.everesttech.net https://a0.awsstatic.com/ https://alpha.d2c.marketing.aws.dev/ https://aa0.awsstatic.com/; media-src 'self'; script-src 'self' https://a0.awsstatic.com/ https://aa0.awsstatic.com/ https://alpha.d2c.marketing.aws.dev/ https://d2c.aws.amazon.com/;" # CSP also set in _document.tsx meta tag