Enhance CSP directives for improved security (#10)

* Enhance content security policy directives for improved security

* Create .htaccess for security headers on apache web server

Author: rdhar

astro.config.mjs

@@ -9,7 +9,20 @@ export default defineConfig({
   integrations: [mdx(), sitemap()],
   security: {
     csp: {
-      directives: ["default-src 'self'"],
+      directives: [
+        "default-src 'none'",
+        "base-uri 'none'",
+        "form-action 'none'",
+        "frame-ancestors 'none'",
+        "img-src 'self'",
+        "font-src 'self'",
+      ],
+    },
+  },
+  server: {
+    headers: {
+      'X-Content-Type-Options': 'nosniff',
+      'Referrer-Policy': 'strict-origin-when-cross-origin',
     },
   },
   fonts: [

public/.htaccess

@@ -0,0 +1,4 @@
+<IfModule mod_headers.c>
+  Header always set X-Content-Type-Options "nosniff"
+  Header always set Referrer-Policy "strict-origin-when-cross-origin"
+</IfModule>