Example netlify.toml with the security headers and webhint

netlify.toml

[build]
  publish = "static"
  command = "yarn inject-manifest"

[[headers]]
  for = "/*"
  [headers.values]
    X-Content-Type-Options = "nosniff"
    Strict-Transport-Security = "max-age=31536000"
    Referrer-Policy = "no-referrer-when-downgrade"

[[headers]]
  for = "/"
  [headers.values]
    Cache-Control = "no-cache"
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    Feature-Policy = "camera 'none'; geolocation 'none'; microphone 'none'"
    Content-Security-Policy = "report-uri https://illvart.report-uri.com/r/d/ct/reportOnly"
    Expect-CT = """
      max-age=0, report-uri="https://illvart.report-uri.com/r/d/ct/reportOnly"
    """

[[headers]]
  for = "*.html"
  [headers.values]
    Content-Type = "text/html; charset=utf-8"
    Cache-Control = "no-cache"
    X-UA-Compatible = "IE=Edge"

[[headers]]
  for = "/assets/css/*.css"
  [headers.values]
    Content-Type = "text/css; charset=utf-8"
    Cache-Control = "public, max-age=31536000, immutable"

    [[headers]]
      for = "/assets/css/*.min.css"
      [headers.values]
        Content-Type = "text/css; charset=utf-8"
        Cache-Control = "public, max-age=31536000, immutable"

[[headers]]
  for = "*.js"
  [headers.values]
    Content-Type = "text/javascript; charset=utf-8"
    Cache-Control = "public, max-age=31536000, immutable"

    [[headers]]
      for = "*.min.js"
      [headers.values]
        Content-Type = "text/javascript; charset=utf-8"
        Cache-Control = "public, max-age=31536000, immutable"

[[headers]]
  for = "*.webmanifest"
  [headers.values]
    Content-Type = "application/manifest+json; charset=utf-8"
    Cache-Control = "public, max-age=31536000, immutable"

[[headers]]
  for = "/assets/img/*"
  [headers.values]
    Cache-Control = "public, max-age=31536000, immutable"