From f4381eb1422cc78552138a74ef891dffeab23930 Mon Sep 17 00:00:00 2001
From: Philipp Dallig <philipp.dallig@pixelpark.com>
Date: Tue, 19 Jan 2016 11:36:44 +0100
Subject: [PATCH] spd - add headers

---
 customer/spd/development.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/customer/spd/development.yaml b/customer/spd/development.yaml
index 411fd08c..b9d0474b 100644
--- a/customer/spd/development.yaml
+++ b/customer/spd/development.yaml
@@ -24,6 +24,14 @@ site::profile::typo3::projects:
     ssl_cert: '/etc/pki/tls/certs/wildcard.pixelpark.net-cert.pem'
     ssl_key: '/etc/pki/tls/private/wildcard.pixelpark.net-key.pem'
     ssl_chain: '/etc/pki/tls/certs/wildcard.pixelpark.net-cert.pem'
+    headers:
+      - 'set X-Frame-Options: sameorigin'
+      - 'set X-XSS-Protection: "1; mode=block"'
+      - 'set X-Content-Type-Options: nosniff'
+      - "set Content-Security-Policy: \"default-src 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline' api.spendino.de storify.com; frame-src w.soundcloud.com player.vimeo.com www.youtube.com api.spendino.de storify.com; frame-ancestors 'self'\""
+      - "set X-Content-Security-Policy: \"default-src 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' 'unsafe-inline' api.spendino.de storify.com; frame-src w.soundcloud.com player.vimeo.com www.youtube.com api.spendino.de storify.com; frame-ancestors 'self'\""
+    headers_ssl:
+      - 'always set Strict-Transport-Security "max-age=31556926"'
     directories:
       - location1:
         provider: location
-- 
2.39.5