gallery/server/headers.js

const STANDARD_HEADERS = {
	'Service-Worker-Allowed': '/', // Allow a service worker to intercept requests
	// 'Content-Security-Policy': {
	// 	'default-src': "'self'", // FF has a bug with SVGs: https://bugzilla.mozilla.org/show_bug.cgi?id=1262842
	// 	'script-src': "'self' 'unsafe-eval'", // TODO: Use "strict-dynamic for production"
	// 	'media-src': "'self'",
	// 	'object-src': "'self'",
	// 	'img-src': "'self' blob:",
	// 	'connect-src': '*',
	// 	'style-src': "'self' 'unsafe-inline'",
	// 	'worker-src': "'*'",
	// 	'frame-ancestors': "'none'" // No other sight may include this in a frame
	// },
	'X-Content-Type-Options': 'nosniff', // http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	'X-Frame-Options': 'DENY', // No other sight may include this in a frame
	'X-XSS-Protection': '1; mode=block',
	'Referrer-Policy': 'same-origin', // Don't send a referrer except back to this server
	'Access-Control-Allow-Origin': '*'
	// 'Strict-Transport-Security': 'max-age=63,13904; includeSubDomains; preload',
};

function formatHeaders(headers = STANDARD_HEADERS) {
	const _headers = Object.assign({}, headers);
	// _headers['Content-Security-Policy'] = Object.entries(_headers['Content-Security-Policy'])
	// 	.map(e => e.join(' '))
	// 	.join('; ');
	return _headers;
}

function expressSetHeaders(res, path, stat) {
	res.set(formatHeaders());
}

module.exports = {
	formatHeaders,
	expressSetHeaders
};