refactor(backend): ♻️ extract security headers middleware to redure main middleware complexity

routes/_middleware.ts

@@ -1,7 +1,8 @@
 import { FreshContext } from '$fresh/server.ts'
 import { useCsp } from ':src/csp/middleware.ts'
-import { SessionStore } from ':src/session/mod.ts'
+import { useSecurityHeaders } from ':src/security_headers/middleware.ts'
 import { useSession } from ':src/session/middleware.ts'
+import { SessionStore } from ':src/session/mod.ts'
 
 export async function handler(request: Request, ctx: FreshContext) {
 	// Update fresh context state with session
@@ -10,23 +11,8 @@ export async function handler(request: Request, ctx: FreshContext) {
 	// Get response
 	const response = await ctx.next()
 
-	//Add security headers
+	// Use custom middleware hooks
-	// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
+	useSecurityHeaders(request, response, ctx)
-	response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')
-	response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests")
-	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
-	response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin')
-	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
-	response.headers.set('X-Content-Type-Options', 'nosniff')
-	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
-	response.headers.set('X-Frame-Options', 'DENY')
-	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
-	response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
-	//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
-	//? SRI plugin for non local resources only ?
-	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP
-	//? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp
-
 	await useCsp(request, response, ctx)
 	useSession(request, response, ctx)
 

src/security_headers/middleware.ts

@@ -0,0 +1,26 @@
+import { FreshContext } from '$fresh/server.ts'
+
+export function useSecurityHeaders(
+    _request: Request,
+    response: Response,
+    _ctx: FreshContext,
+) {
+    // See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
+    response.headers.set(
+        'Strict-Transport-Security',
+        'max-age=63072000; includeSubDomains; preload',
+    )
+    //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
+    response.headers.set(
+        'Referrer-Policy',
+        'no-referrer, strict-origin-when-cross-origin',
+    )
+    //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
+    response.headers.set('X-Content-Type-Options', 'nosniff')
+    //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
+    response.headers.set('X-Frame-Options', 'DENY')
+    //See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
+    response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
+    //See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
+    //? SRI plugin for non local resources only ?
+}