feat: 🔒 update security from mozilla observatory report
see https://developer.mozilla.org/en-US/observatory/analyze?host=lp36.fr.nf
This commit is contained in:
parent
bf7ed471dd
commit
906f31b240
|
@ -9,6 +9,23 @@ export async function handler(request: Request, ctx: FreshContext) {
|
||||||
// Get response
|
// Get response
|
||||||
const response = await ctx.next()
|
const response = await ctx.next()
|
||||||
|
|
||||||
|
//Add security headers
|
||||||
|
// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
|
||||||
|
response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')
|
||||||
|
response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests")
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
|
||||||
|
response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin')
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
|
||||||
|
response.headers.set('X-Content-Type-Options', 'nosniff')
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
|
||||||
|
response.headers.set('X-Frame-Options', 'DENY')
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
|
||||||
|
response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
|
||||||
|
//? SRI plugin for non local resources only ?
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP
|
||||||
|
//? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp
|
||||||
|
|
||||||
// Allow service worker to serve root scope
|
// Allow service worker to serve root scope
|
||||||
if (ctx.url.pathname.endsWith('island-startserviceworker.js')) {
|
if (ctx.url.pathname.endsWith('island-startserviceworker.js')) {
|
||||||
response.headers.set('Service-Worker-Allowed', '/')
|
response.headers.set('Service-Worker-Allowed', '/')
|
||||||
|
@ -32,7 +49,7 @@ export async function handler(request: Request, ctx: FreshContext) {
|
||||||
|
|
||||||
// Set session cookie
|
// Set session cookie
|
||||||
setCookie(response.headers, {
|
setCookie(response.headers, {
|
||||||
name: '_SESSION',
|
name: '__Secure-SESSION',
|
||||||
value: session.uuid,
|
value: session.uuid,
|
||||||
httpOnly: true,
|
httpOnly: true,
|
||||||
sameSite: 'Strict',
|
sameSite: 'Strict',
|
||||||
|
@ -46,7 +63,7 @@ export async function handler(request: Request, ctx: FreshContext) {
|
||||||
session.set('_csrf', csrf)
|
session.set('_csrf', csrf)
|
||||||
|
|
||||||
setCookie(response.headers, {
|
setCookie(response.headers, {
|
||||||
name: '_CSRF',
|
name: '__Host-CSRF',
|
||||||
value: csrf,
|
value: csrf,
|
||||||
httpOnly: false,
|
httpOnly: false,
|
||||||
sameSite: 'Strict',
|
sameSite: 'Strict',
|
||||||
|
|
|
@ -40,7 +40,7 @@ export async function requestApi<
|
||||||
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
|
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
|
||||||
payload?: Payload | null,
|
payload?: Payload | null,
|
||||||
): Promise<ApiResponse> {
|
): Promise<ApiResponse> {
|
||||||
const csrf = getCookie('_CSRF') ?? ''
|
const csrf = getCookie('__Host-CSRF') ?? ''
|
||||||
|
|
||||||
const base = new URL('/api/', location.origin)
|
const base = new URL('/api/', location.origin)
|
||||||
const endpoint = new URL(
|
const endpoint = new URL(
|
||||||
|
@ -116,7 +116,7 @@ export async function* requestApiStream<
|
||||||
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
|
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
|
||||||
payload?: Payload | null,
|
payload?: Payload | null,
|
||||||
): AsyncGenerator<ApiResponse, void, void> {
|
): AsyncGenerator<ApiResponse, void, void> {
|
||||||
const csrf = getCookie('_CSRF') ?? ''
|
const csrf = getCookie('__Host-CSRF') ?? ''
|
||||||
|
|
||||||
const base = new URL('/api/', location.origin)
|
const base = new URL('/api/', location.origin)
|
||||||
const endpoint = new URL(
|
const endpoint = new URL(
|
||||||
|
|
Loading…
Reference in a new issue