cohabit/website
5
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

feat: 🔒 update security from mozilla observatory report

Browse source 
see https://developer.mozilla.org/en-US/observatory/analyze?host=lp36.fr.nf
This commit is contained in:
Julien Oculi 2024-07-04 13:57:56 +02:00
parent bf7ed471dd
commit 906f31b240
2 changed files with 21 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
routes/_middleware.ts
View file

@ -9,6 +9,23 @@ export async function handler(request: Request, ctx: FreshContext) {
// Get response
const response = await ctx.next()
//Add security headers
// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')
response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests")
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin')
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
response.headers.set('X-Content-Type-Options', 'nosniff')
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
response.headers.set('X-Frame-Options', 'DENY')
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
//? SRI plugin for non local resources only ?
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP
//? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp
// Allow service worker to serve root scope
if (ctx.url.pathname.endsWith('island-startserviceworker.js')) {
response.headers.set('Service-Worker-Allowed', '/')
@ -32,7 +49,7 @@ export async function handler(request: Request, ctx: FreshContext) {
// Set session cookie
setCookie(response.headers, {
name: '_SESSION',
name: '__Secure-SESSION',
value: session.uuid,
httpOnly: true,
sameSite: 'Strict',
@ -46,7 +63,7 @@ export async function handler(request: Request, ctx: FreshContext) {
session.set('_csrf', csrf)
setCookie(response.headers, {
name: '_CSRF',
name: '__Host-CSRF',
value: csrf,
httpOnly: false,
sameSite: 'Strict',

4
src/utils.ts
View file

@ -40,7 +40,7 @@ export async function requestApi<
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
payload?: Payload | null,
): Promise<ApiResponse> {
const csrf = getCookie('_CSRF') ?? ''
const csrf = getCookie('__Host-CSRF') ?? ''
const base = new URL('/api/', location.origin)
const endpoint = new URL(
@ -116,7 +116,7 @@ export async function* requestApiStream<
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
payload?: Payload | null,
): AsyncGenerator<ApiResponse, void, void> {
const csrf = getCookie('_CSRF') ?? ''
const csrf = getCookie('__Host-CSRF') ?? ''
const base = new URL('/api/', location.origin)
const endpoint = new URL(