website/src/csp/middleware.ts

import { FreshContext } from 'fresh'
import { applyCspRulesWithNonce, CspRules } from ':src/csp/mod.ts'

export function useCsp(
	_request: Request,
	response: Response,
	ctx: FreshContext,
) {
	//See https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP

	const trustedDomains = ["'self'", 'https://git.cohabit.fr']

	const cspRules: CspRules = {
		defaultSrc: ["'none'"],
		frameAncestors: ["'none'"],
		upgradeInsecureRequests: true,
		styleSrc: [...trustedDomains, "'unsafe-inline'"], //set nonce to inline script
		manifestSrc: [`${ctx.url.origin.replace('http:', 'https:')}/manifest.json`],
		baseUri: ["'none'"],
		imgSrc: [
			...trustedDomains,
			'data:',
			'https:',
		],
		fontSrc: [...trustedDomains, 'https://cdn.jsdelivr.net'],
		scriptSrc: ["'self'", "'strict-dynamic'"],
		connectSrc: ["'self'"],
		formAction: ["'none'"],
	}

	return applyCspRulesWithNonce(response, cspRules)
}