refactor(backend): ♻️ extract security headers middleware to redure main middleware complexity
This commit is contained in:
parent
7a58769335
commit
a4c846241d
|
@ -1,7 +1,8 @@
|
||||||
import { FreshContext } from '$fresh/server.ts'
|
import { FreshContext } from '$fresh/server.ts'
|
||||||
import { useCsp } from ':src/csp/middleware.ts'
|
import { useCsp } from ':src/csp/middleware.ts'
|
||||||
import { SessionStore } from ':src/session/mod.ts'
|
import { useSecurityHeaders } from ':src/security_headers/middleware.ts'
|
||||||
import { useSession } from ':src/session/middleware.ts'
|
import { useSession } from ':src/session/middleware.ts'
|
||||||
|
import { SessionStore } from ':src/session/mod.ts'
|
||||||
|
|
||||||
export async function handler(request: Request, ctx: FreshContext) {
|
export async function handler(request: Request, ctx: FreshContext) {
|
||||||
// Update fresh context state with session
|
// Update fresh context state with session
|
||||||
|
@ -10,23 +11,8 @@ export async function handler(request: Request, ctx: FreshContext) {
|
||||||
// Get response
|
// Get response
|
||||||
const response = await ctx.next()
|
const response = await ctx.next()
|
||||||
|
|
||||||
//Add security headers
|
// Use custom middleware hooks
|
||||||
// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
|
useSecurityHeaders(request, response, ctx)
|
||||||
response.headers.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')
|
|
||||||
response.headers.set('Content-Security-Policy', "frame-ancestors 'none'; upgrade-insecure-requests")
|
|
||||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
|
|
||||||
response.headers.set('Referrer-Policy', 'no-referrer, strict-origin-when-cross-origin')
|
|
||||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
|
|
||||||
response.headers.set('X-Content-Type-Options', 'nosniff')
|
|
||||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
|
|
||||||
response.headers.set('X-Frame-Options', 'DENY')
|
|
||||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
|
|
||||||
response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
|
|
||||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
|
|
||||||
//? SRI plugin for non local resources only ?
|
|
||||||
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP
|
|
||||||
//? fresh useCSP https://fresh.deno.dev/docs/examples/using-csp
|
|
||||||
|
|
||||||
await useCsp(request, response, ctx)
|
await useCsp(request, response, ctx)
|
||||||
useSession(request, response, ctx)
|
useSession(request, response, ctx)
|
||||||
|
|
||||||
|
|
26
src/security_headers/middleware.ts
Normal file
26
src/security_headers/middleware.ts
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
import { FreshContext } from '$fresh/server.ts'
|
||||||
|
|
||||||
|
export function useSecurityHeaders(
|
||||||
|
_request: Request,
|
||||||
|
response: Response,
|
||||||
|
_ctx: FreshContext,
|
||||||
|
) {
|
||||||
|
// See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security
|
||||||
|
response.headers.set(
|
||||||
|
'Strict-Transport-Security',
|
||||||
|
'max-age=63072000; includeSubDomains; preload',
|
||||||
|
)
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy
|
||||||
|
response.headers.set(
|
||||||
|
'Referrer-Policy',
|
||||||
|
'no-referrer, strict-origin-when-cross-origin',
|
||||||
|
)
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types
|
||||||
|
response.headers.set('X-Content-Type-Options', 'nosniff')
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking
|
||||||
|
response.headers.set('X-Frame-Options', 'DENY')
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
|
||||||
|
response.headers.set('Cross-Origin-Resource-Policy', 'same-origin')
|
||||||
|
//See https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
|
||||||
|
//? SRI plugin for non local resources only ?
|
||||||
|
}
|
Loading…
Reference in a new issue