upward.yml

veniaSecurityHeaders:
  resolver: inline
  inline:
    content-security-policy:
      resolver: template
      engine: mustache
      provide:
        backend: env.MAGENTO_BACKEND_URL
        pageTypeNonce: veniaPageTypeNonce.nonce
      template:
        resolver: conditional
        when:
          - matches: env.NODE_ENV
            pattern: development
            use:
              inline: ""
          - matches: env.SCRIPT_NAME
            pattern: '.*\.php$'
            use:
              inline: "
                script-src http: https: {{ backend }}{{#pageTypeNonce}} 'nonce-{{ pageTypeNonce }}'{{/pageTypeNonce}};
                style-src 'self' blob: https: 'unsafe-inline' {{ backend }};
                img-src data: http: https:;
                object-src 'none';
                base-uri 'none';
                child-src 'self';
                font-src 'self' fonts.gstatic.com;
                frame-src assets.braintreegateway.com *.google.com *.youtube.com *.youtu.be *.vimeo.com
                "
        default:
          inline: "
            script-src http: https: {{ backend }};
            style-src 'self' blob: https: 'unsafe-inline' {{ backend }};
            img-src data: http: https:;
            object-src 'none';
            base-uri 'none';
            child-src 'self';
            font-src 'self' fonts.gstatic.com;
            frame-src assets.braintreegateway.com *.google.com *.youtube.com *.youtu.be *.vimeo.com
            "
    strict-transport-security:
      inline: max-age=31536000
    x-content-type-options:
      inline: nosniff
    x-frame-options:
      inline: SAMEORIGIN
    x-xss-protection:
      inline: '1; mode=block'