Add security headers to the website.

The one bit of JS we have for the mobile menu needed some tweaking.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

site/netlify.toml

@@ -33,3 +33,11 @@ HUGO_ENABLEGITINFO = "true"
   for = "/fonts/*"
   [headers.values]
     Access-Control-Allow-Origin = "*"
+
+[[headers]]
+  for = "/*"
+  [headers.values]
+    Content-Security-Policy = "default-src 'self'; img-src *"
+    X-Content-Type-Options = "nosniff"
+    X-Frame-Options = "DENY"
+    X-XSS-Protection = "1; mode=block"

site/themes/pinniped/layouts/partials/header.html

@@ -7,7 +7,7 @@
 			<li><a href="/blog/" {{ if or (eq .Page.Section "posts") (eq .Page.Section "tags") }}class="active"{{ end }}>Blog</a></li>
 			<li><a href="/docs/" {{ if (eq .Page.Section "docs") }}class="active"{{ end }}>Docs</a></li>
 		</ul>
-		<button type="button" class="mobile" onclick="mobileNavToggle()">
+		<button type="button" class="mobile" id="mobile-menu-button">
 			<img class="collapsed-icon" src="/img/hamburger.svg" alt="Mobile nav icon">
 			<img class="expanded-icon" src="/img/close.svg" alt="Mobile nav icon">
 		</button>

site/themes/pinniped/static/js/main.js

@@ -3,4 +3,7 @@
 function mobileNavToggle() {
     var menu = document.getElementById("mobile-menu").parentElement;
     menu.classList.toggle('mobile-menu-visible');
-}
+}
+document.addEventListener('DOMContentLoaded', function () {
+    document.getElementById('mobile-menu-button').addEventListener('click', mobileNavToggle);
+});