Meta 4

This is the fourth post in the series Meta. Start reading at the beginning, Meta 4.

Changes

• Made several changes to security headers.
  • Added Feature-Policy, Referrer-Policy, X-Content-Type-Options, and X-XSS-Protection.
  • Modified Content-Security-Policy.
    • Removed unsafe-inline from default-src. This required some changes to the way one-off scripts and stylesheets are created for individual posts: the generators now create files that are referenced via link and script tags in the individual page’s head. (This Ink feature hasn’t been used in any published posts yet.)
    • Moved the data: exception from default-src to img-src. At least one major browser has a bug where its default video controls can be blocked when the Content-Security-Policy header blocks data: images.
  • Increased the Strict-Transport-Security age from 30 days to 1 year.
  • X-Frame-Options was already being set and hasn’t been modified.
  • This gets Diplograph up to an A+ on a Security Headers (external link)⬀ audit. That’s pretty cool.

Implementation Changes

These sorts of changes are about how Diplograph is built behind the scenes, and won’t really be noticed on the site itself.

• Added a caching layer to reduce the number of times PROJ.4 is invoked for coordinate transformations, especially when building the map on the archives page.

Notes

To be honest, a big reason I started the blog again was to have a coding project to work on. I’m spending more time poking at Ink than, say, editing photos. This is probably bad.