add various security-related HTTP headers

Revolution-Hacks · Nov 7, 2024 · a54a46b · a54a46b
1 parent e1f39bb
commit a54a46b
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -32,11 +32,34 @@ export const handle: Handle = async ({ event, resolve }) => {
 
   link.push(`</api/background.svg>; rel="preload"; as="image";`);
 
+  response.headers
+
   response.headers.set('link', link.join(','));
   response.headers.set(
     'Accept-CH',
     'Width, Viewport-Width, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-UA-Mobile'
   );
+  response.headers.set(
+    'Referer',
+    'no-referrer'
+  )
+  response.headers.set(
+    'Strict-Transport-Security',
+    // STS for 1 decade on all subdomains
+    'max-age=315360000; includeSubDomains; preload'
+  )
+  response.headers.set(
+    'X-Content-Type-Options',
+    'nnosniff'
+  )
+  response.headers.set(
+    'X-Frame-Options',
+    'DENY'
+  )
+  response.headers.set(
+    'Cross-Origin-Resource-Policy',
+    'same-origin'
+  )
 
   return response;
 };
diff --git a/svelte.config.js b/svelte.config.js
@@ -8,7 +8,13 @@ const config = {
     // adapter-auto only supports some environments, see https://kit.svelte.dev/docs/adapter-auto for a list.
     // If your environment is not supported or you settled on a specific environment, switch out the adapter.
     // See https://kit.svelte.dev/docs/adapters for more information about adapters.
-    adapter: adapter()
+    adapter: adapter(),
+    csp: {
+      directives: {
+        'default-src': ['self'],
+        'frame-ancestors': ['none']
+      }
+    }
   }
 };