website/routes/_middleware.ts

import { FreshContext } from '$fresh/server.ts'
import { useCsp } from ':src/csp/middleware.ts'
import { SessionStore } from ':src/session/mod.ts'
import { useSession } from ':src/session/middleware.ts'

export async function handler(request: Request, ctx: FreshContext) {
	// Update fresh context state with session
	ctx.state = { ...ctx.state, session: SessionStore.getFromRequest(request) }

	// Get response
	const response = await ctx.next()

	//Add security headers
	// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
	response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')
	response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests")
	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
	response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin')
	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
	response.headers.set('X-Content-Type-Options', 'nosniff')
	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
	response.headers.set('X-Frame-Options', 'DENY')
	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
	response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
	//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
	//? SRI plugin for non local resources only ?
	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP
	//? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp

	await useCsp(request, response, ctx)
	useSession(request, response, ctx)

	// Allow service worker to serve root scope
	if (ctx.url.pathname.endsWith('island-startserviceworker.js')) {
		response.headers.set('Service-Worker-Allowed', '/')
	}

	return response
}
feat(pwa): :sparkles: add service worker and registration 2024-06-11 17:02:00 +02:00			`import { FreshContext } from '$fresh/server.ts'`
feat(backend): :lock: add CSP rules 2024-07-09 11:00:35 +02:00			`import { useCsp } from ':src/csp/middleware.ts'`
refactor: :recycle: update import map to simplify local imports paths 2024-07-01 13:11:20 +02:00			`import { SessionStore } from ':src/session/mod.ts'`
refactor(backend): :recycle: move sessions middleware to own file to redure main middleware complexity 2024-07-09 11:07:23 +02:00			`import { useSession } from ':src/session/middleware.ts'`
feat(pwa): :sparkles: add service worker and registration 2024-06-11 17:02:00 +02:00
			`export async function handler(request: Request, ctx: FreshContext) {`
feat: :sparkles: pass session state to downstream contexts 2024-06-13 23:50:32 +02:00			`// Update fresh context state with session`
			`ctx.state = { ...ctx.state, session: SessionStore.getFromRequest(request) }`

refactor: :recycle: small changes in main middleware 2024-07-04 12:44:34 +02:00			`// Get response`
feat(pwa): :sparkles: add service worker and registration 2024-06-11 17:02:00 +02:00			`const response = await ctx.next()`
refactor: :recycle: small changes in main middleware 2024-07-04 12:44:34 +02:00
feat: :lock: update security from mozilla observatory report see https://developer.mozilla.org/en-US/observatory/analyze?host=lp36.fr.nf 2024-07-04 13:57:56 +02:00			`//Add security headers`
			`// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security`
			`response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')`
			`response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests")`
			`//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy`
			`response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin')`
			`//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types`
			`response.headers.set('X-Content-Type-Options', 'nosniff')`
			`//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking`
			`response.headers.set('X-Frame-Options', 'DENY')`
			`//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP`
			`response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')`
			`//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity`
			`//? SRI plugin for non local resources only ?`
			`//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP`
			`//? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp`

feat(backend): :lock: add CSP rules 2024-07-09 11:00:35 +02:00			`await useCsp(request, response, ctx)`
refactor(backend): :recycle: move sessions middleware to own file to redure main middleware complexity 2024-07-09 11:07:23 +02:00			`useSession(request, response, ctx)`
feat(backend): :lock: add CSP rules 2024-07-09 11:00:35 +02:00
refactor: :recycle: small changes in main middleware 2024-07-04 12:44:34 +02:00			`// Allow service worker to serve root scope`
			`if (ctx.url.pathname.endsWith('island-startserviceworker.js')) {`
feat(pwa): :sparkles: add service worker and registration 2024-06-11 17:02:00 +02:00			`response.headers.set('Service-Worker-Allowed', '/')`
			`}`
feat: :lock: add csrf checks 2024-06-13 12:20:47 +02:00
feat(pwa): :sparkles: add service worker and registration 2024-06-11 17:02:00 +02:00			`return response`
			`}`