From 00c5823a5efb7dba2256e04c9c3e105201c8b2df Mon Sep 17 00:00:00 2001
From: Lipis <lipiridis@gmail.com>
Date: Sat, 4 Apr 2020 02:36:12 +0300
Subject: [PATCH] Add Security Headers (#1200)

---
 now.json          | 27 +++++++++++++++++++++++++++
 public/index.html |  3 ++-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/now.json b/now.json
index 88741444..149a93a6 100644
--- a/now.json
+++ b/now.json
@@ -1,4 +1,31 @@
 {
+  "headers": [
+    {
+      "source": "/(.*)",
+      "headers": [
+        {
+          "key": "Access-Control-Allow-Origin",
+          "value": "*"
+        },
+        {
+          "key": "X-Content-Type-Options",
+          "value": "nosniff"
+        },
+        {
+          "key": "Feature-Policy",
+          "value": "*"
+        },
+        {
+          "key": "Referrer-Policy",
+          "value": "origin"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src https: data: 'unsafe-inline'; connect-src https://*.excalidraw.com wss://excalidraw-socket.herokuapp.com https://excalidraw-socket.herokuapp.com"
+        }
+      ]
+    }
+  ],
   "redirects": [
     {
       "source": "/([^.]+)",
diff --git a/public/index.html b/public/index.html
index 677e27ca..f84c7e7e 100644
--- a/public/index.html
+++ b/public/index.html
@@ -7,10 +7,11 @@
       name="viewport"
       content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no, viewport-fit=cover, shrink-to-fit=no"
     />
+    <meta name="referrer" content="origin" />
     <meta name="apple-mobile-web-app-capable" content="yes" />
 
     <meta name="theme-color" content="#000000" />
-    <!-- prettier-ignore -->
+
     <meta
       http-equiv="origin-trial"
       content="AsyySICOnLFPHhAi+SdB6g3Cr28MuSeq3a+2k3UOUKu+ikmEjAqYHAK3HSLx4keUd1BLYUPWPYAe6F9hyuO3JwUAAABceyJvcmlnaW4iOiJodHRwczovL3d3dy5leGNhbGlkcmF3LmNvbTo0NDMiLCJmZWF0dXJlIjoiTmF0aXZlRmlsZVN5c3RlbSIsImV4cGlyeSI6MTU4OTE4MzIxMH0="