feat: 🔒 update security from mozilla observatory report
see https://developer.mozilla.org/en-US/observatory/analyze?host=lp36.fr.nf
This commit is contained in:
parent
bf7ed471dd
commit
906f31b240
|
@ -9,6 +9,23 @@ export async function handler(request: Request, ctx: FreshContext) {
|
|||
// Get response
|
||||
const response = await ctx.next()
|
||||
|
||||
//Add security headers
|
||||
// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
|
||||
response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')
|
||||
response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests")
|
||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
|
||||
response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin')
|
||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
|
||||
response.headers.set('X-Content-Type-Options', 'nosniff')
|
||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
|
||||
response.headers.set('X-Frame-Options', 'DENY')
|
||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
|
||||
response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
|
||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
|
||||
//? SRI plugin for non local resources only ?
|
||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP
|
||||
//? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp
|
||||
|
||||
// Allow service worker to serve root scope
|
||||
if (ctx.url.pathname.endsWith('island-startserviceworker.js')) {
|
||||
response.headers.set('Service-Worker-Allowed', '/')
|
||||
|
@ -32,7 +49,7 @@ export async function handler(request: Request, ctx: FreshContext) {
|
|||
|
||||
// Set session cookie
|
||||
setCookie(response.headers, {
|
||||
name: '_SESSION',
|
||||
name: '__Secure-SESSION',
|
||||
value: session.uuid,
|
||||
httpOnly: true,
|
||||
sameSite: 'Strict',
|
||||
|
@ -46,7 +63,7 @@ export async function handler(request: Request, ctx: FreshContext) {
|
|||
session.set('_csrf', csrf)
|
||||
|
||||
setCookie(response.headers, {
|
||||
name: '_CSRF',
|
||||
name: '__Host-CSRF',
|
||||
value: csrf,
|
||||
httpOnly: false,
|
||||
sameSite: 'Strict',
|
||||
|
|
|
@ -40,7 +40,7 @@ export async function requestApi<
|
|||
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
|
||||
payload?: Payload | null,
|
||||
): Promise<ApiResponse> {
|
||||
const csrf = getCookie('_CSRF') ?? ''
|
||||
const csrf = getCookie('__Host-CSRF') ?? ''
|
||||
|
||||
const base = new URL('/api/', location.origin)
|
||||
const endpoint = new URL(
|
||||
|
@ -116,7 +116,7 @@ export async function* requestApiStream<
|
|||
method: 'GET' | 'POST' | 'DELETE' | 'PATCH',
|
||||
payload?: Payload | null,
|
||||
): AsyncGenerator<ApiResponse, void, void> {
|
||||
const csrf = getCookie('_CSRF') ?? ''
|
||||
const csrf = getCookie('__Host-CSRF') ?? ''
|
||||
|
||||
const base = new URL('/api/', location.origin)
|
||||
const endpoint = new URL(
|
||||
|
|
Loading…
Reference in a new issue