specification.website/public/_headers at main · jdevalk/specification.website · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Cloudflare Pages — response headers
# Spec reference: https://specification.website/spec/security/
#
# Strong defaults across the whole site. Tighten per-path as needed.
#
# CSP script-src hashes:
#   sha256-N74A… — dark-mode init inline script (also sets the theme-color meta)
#   sha256-UU9x… — speculationrules block in BaseLayout.astro (keep
#     'inline-speculation-rules' too; the hash is the fallback for
#     contexts where Chrome ignores that keyword). Recompute the hash
#     if those rules change.

/*
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()
  Content-Security-Policy: default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'inline-speculation-rules' 'sha256-N74AzU+1FxvXAWIxrP2zNCBUxV949ZHOXXqjTvbusx0=' 'sha256-UU9xsfeOKmx3D7Lk33alkWn1rIjk46pD684u4pupy4o=' https://plausible.io; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://plausible.io; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; object-src 'none'; report-to csp-endpoint; upgrade-insecure-requests
  Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; trusted-types default dompurify; report-to csp-endpoint
  Reporting-Endpoints: csp-endpoint="/reports", default="/reports"
  Cross-Origin-Opener-Policy: same-origin
  Cross-Origin-Resource-Policy: same-site
  X-Frame-Options: DENY
  No-Vary-Search: params=("utm_source" "utm_medium" "utm_campaign" "utm_content" "utm_term" "gclid" "fbclid" "msclkid" "mc_cid" "mc_eid" "ref"), key-order
  Link: </llms.txt>; rel="describedby"; type="text/markdown"; title="Site index for LLMs", </llms-full.txt>; rel="alternate"; type="text/markdown"; title="Full content as Markdown", </.well-known/api-catalog>; rel="api-catalog"; type="application/linkset+json", </.well-known/mcp/server-card.json>; rel="mcp"; type="application/json"; title="MCP server card", <https://mcp.specification.website/mcp>; rel="related"; title="MCP endpoint", </.well-known/agent-card.json>; rel="service-desc"; type="application/json"; title="A2A agent card", <https://mcp.specification.website/a2a/v1>; rel="related"; title="A2A endpoint", </.well-known/agent-skills/index.json>; rel="agent-skills"; type="application/json"; title="Agent Skills discovery index", </.well-known/ai-catalog.json>; rel="ai-catalog"; type="application/ai-catalog+json"; title="Agentic Resource Discovery catalog", </sitemap-index.xml>; rel="sitemap"; type="application/xml", </rss.xml>; rel="alternate"; type="application/rss+xml"; title="Feed of spec changes", </changelog/rss.xml>; rel="alternate"; type="application/rss+xml"; title="Changelog feed", </.well-known/security.txt>; rel="security"; type="text/plain"

# Long cache for fingerprinted assets
/_astro/*
  Cache-Control: public, max-age=31536000, immutable

/fonts/*
  Cache-Control: public, max-age=31536000, immutable

# Well-known files served with the right type
/.well-known/security.txt
  Content-Type: text/plain; charset=utf-8
  Cache-Control: public, max-age=3600

/llms.txt
  Content-Type: text/plain; charset=utf-8

/llms-full.txt
  Content-Type: text/plain; charset=utf-8

/robots.txt
  Content-Type: text/plain; charset=utf-8

/humans.txt
  Content-Type: text/plain; charset=utf-8

# Per-page Markdown source served from /spec/<category>/<slug>.md
/spec/*.md
  Content-Type: text/markdown; charset=utf-8
  Cache-Control: public, max-age=3600, stale-if-error=86400

# OKF bundle — Markdown concept tree served as text/markdown
/okf/*
  Content-Type: text/markdown; charset=utf-8
  Cache-Control: public, max-age=3600, stale-if-error=86400
  Access-Control-Allow-Origin: *

# OKF bundle — packaged gzipped tar of the whole tree
/okf.tar.gz
  Content-Type: application/gzip
  Cache-Control: public, max-age=3600, stale-if-error=86400
  Access-Control-Allow-Origin: *

# Per-page JSON-LD graph served from /spec/<category>/<slug>.jsonld
/spec/*.jsonld
  Content-Type: application/ld+json; charset=utf-8
  Cache-Control: public, max-age=3600, stale-if-error=86400
  Access-Control-Allow-Origin: *

# Schemamap index — JSON-LD discovery for the whole site
/schemamap.xml
  Content-Type: application/xml; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *

# XML sitemaps — index + per-category + general pages
/sitemap-*.xml
  Content-Type: application/xml; charset=utf-8
  Cache-Control: public, max-age=3600, stale-if-error=86400

# Sitemap XSL stylesheet — styles the XML when viewed in a browser
/sitemap.xsl
  Content-Type: application/xslt+xml; charset=utf-8
  Cache-Control: public, max-age=3600

# RFC 9727 — Publishing Organisation API Information
/.well-known/api-catalog
  Content-Type: application/linkset+json; charset=utf-8
  Cache-Control: public, max-age=3600

# MCP server card discovery
/.well-known/mcp/server-card.json
  Content-Type: application/json; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *

# A2A agent card discovery (a2a-protocol.org)
/.well-known/agent-card.json
  Content-Type: application/json; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *

# Agent Skills Discovery (RFC v0.2.0)
/.well-known/agent-skills/index.json
  Content-Type: application/json; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *

# Glama MCP connector ownership claim (glama.ai)
/.well-known/glama.json
  Content-Type: application/json; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *

# Agentic Resource Discovery (ARD) — AI Catalog manifest
/.well-known/ai-catalog.json
  Content-Type: application/ai-catalog+json; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *

# JWK Set — public key for verifying the AI Catalog trustManifest signature
/.well-known/jwks.json
  Content-Type: application/jwk-set+json; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *

/.well-known/agent-skills/*/SKILL.md
  Content-Type: text/markdown; charset=utf-8
  Cache-Control: public, max-age=3600
  Access-Control-Allow-Origin: *