const STANDARD_HEADERS = {
	'Service-Worker-Allowed': '/', // Allow a service worker to intercept requests
	'Content-Security-Policy': {
		'default-src': "'self'", // FF has a bug with SVGs: https://bugzilla.mozilla.org/show_bug.cgi?id=1262842
		'script-src': "'self'", // TODO: Use "strict-dynamic for production"
		'media-src': "'self'",
		'object-src': "'self'",
		'img-src': "'self' blob:",
		'connect-src': '*',
		'style-src': "'self' 'unsafe-inline'",
		'worker-src': "'self'",
		'frame-ancestors': "'none'" // No other sight may include this in a frame
	},
	'X-Content-Type-Options': 'nosniff', // http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	'X-Frame-Options': 'DENY', // No other sight may include this in a frame
	'X-XSS-Protection': '1; mode=block',
	'Referrer-Policy': 'same-origin' // Don't send a referrer except back to this server
	// 'Strict-Transport-Security': 'max-age=63,13904; includeSubDomains; preload',
};

function formatHeaders(headers = STANDARD_HEADERS) {
	const _headers = Object.assign({}, headers);
	_headers['Content-Security-Policy'] = Object.entries(_headers['Content-Security-Policy'])
		.map(e => e.join(' '))
		.join('; ');
	return _headers;
}

function expressSetHeaders(res, path, stat) {
	res.set(formatHeaders());
}

module.exports = {
	formatHeaders,
	expressSetHeaders
};