customHttp.yml

customHeaders:
  - pattern: "**/*"
    headers:
      - key: "Strict-Transport-Security"
        value: "max-age=31622400; includeSubDomains"
      - key: "X-Frame-Options"
        value: "DENY"
      - key: "X-XSS-Protection"
        value: "1; mode=block"
      - key: "X-Content-Type-Options"
        value: "nosniff"
      - key: "X-DNS-Prefetch-Control"
        value: "off"
      - key: "X-Download-Options"
        value: "noopen"
      - key: "Referrer-Policy"
        value: "same-origin"
      - key: "Content-Security-Policy"
        # unsafe-inline added to style-src to allow for inline styles
        value: "connect-src 'self'
          https://*.postman.gov.sg https://postmangovsg-dev-upload.s3.ap-northeast-1.amazonaws.com/
          https://postmangovsg-prod-upload.s3.ap-northeast-1.amazonaws.com
          https://s3.ap-southeast-1.amazonaws.com/file-staging.postman.gov.sg/
          https://s3.ap-southeast-1.amazonaws.com/file-production.postman.gov.sg/
          https://o399364.ingest.sentry.io/
          https://www.google-analytics.com
          https://*.browser-intake-datadoghq.com;
          style-src 'self' https://*.postman.gov.sg https://fonts.googleapis.com 'unsafe-inline';
          font-src 'self' https://*.postman.gov.sg https://fonts.gstatic.com;
          default-src 'self' https://*.postman.gov.sg;
          object-src 'none';
          script-src 'self' https://*.postman.gov.sg https://www.google-analytics.com https://ssl.google-analytics.com;
          img-src 'self' https://*.postman.gov.sg https://www.google-analytics.com https://file.go.gov.sg https://file.for.sg https://file.for.edu.sg;
          media-src 'self' https://s3-ap-southeast-1.amazonaws.com/public.postman.gov.sg/;
          child-src 'self' https://s3-ap-southeast-1.amazonaws.com/public.postman.gov.sg/;
          frame-src 'self' https://form.gov.sg/;
          worker-src blob:;"
      - key: "Content-Security-Policy-Report-Only"
        value: report-uri https://b7b979b458ee470a86efff9ef1653b50@o399364.ingest.sentry.io/5261024;
  - pattern: "/static/**/*"
    headers:
      - key: "Cache-Control"
        value: "public, must-revalidate, max-age=14400"