From a4c846241da58b26009bed4aefec3c6a0ed8b8fe Mon Sep 17 00:00:00 2001 From: Julien Oculi Date: Tue, 9 Jul 2024 11:12:58 +0200 Subject: [PATCH] refactor(backend): :recycle: extract security headers middleware to redure main middleware complexity --- routes/_middleware.ts | 22 ++++------------------ src/security_headers/middleware.ts | 26 ++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 18 deletions(-) create mode 100644 src/security_headers/middleware.ts diff --git a/routes/_middleware.ts b/routes/_middleware.ts index ca93b0b..f3af97e 100644 --- a/routes/_middleware.ts +++ b/routes/_middleware.ts @@ -1,7 +1,8 @@ import { FreshContext } from '$fresh/server.ts' import { useCsp } from ':src/csp/middleware.ts' -import { SessionStore } from ':src/session/mod.ts' +import { useSecurityHeaders } from ':src/security_headers/middleware.ts' import { useSession } from ':src/session/middleware.ts' +import { SessionStore } from ':src/session/mod.ts' export async function handler(request: Request, ctx: FreshContext) { // Update fresh context state with session @@ -10,23 +11,8 @@ export async function handler(request: Request, ctx: FreshContext) { // Get response const response = await ctx.next() - //Add security headers - // See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security - response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload') - response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests") - //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy - response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin') - //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types - response.headers.set('X-Content-Type-Options', 'nosniff') - //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking - response.headers.set('X-Frame-Options', 'DENY') - //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP - response.headers.set('Cross-Origin-Resource-Policy', 'same-origin') - //See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity - //? SRI plugin for non local resources only ? - //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP - //? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp - + // Use custom middleware hooks + useSecurityHeaders(request, response, ctx) await useCsp(request, response, ctx) useSession(request, response, ctx) diff --git a/src/security_headers/middleware.ts b/src/security_headers/middleware.ts new file mode 100644 index 0000000..d53d61e --- /dev/null +++ b/src/security_headers/middleware.ts @@ -0,0 +1,26 @@ +import { FreshContext } from '$fresh/server.ts' + +export function useSecurityHeaders( + _request: Request, + response: Response, + _ctx: FreshContext, +) { + // See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security + response.headers.set( + 'Strict-Transport-Security', + 'max-age=63072000; includeSubDomains; preload', + ) + //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy + response.headers.set( + 'Referrer-Policy', + 'no-referrer, strict-origin-when-cross-origin', + ) + //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types + response.headers.set('X-Content-Type-Options', 'nosniff') + //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking + response.headers.set('X-Frame-Options', 'DENY') + //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP + response.headers.set('Cross-Origin-Resource-Policy', 'same-origin') + //See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity + //? SRI plugin for non local resources only ? +}