37 lines
1.3 KiB
JavaScript
37 lines
1.3 KiB
JavaScript
const STANDARD_HEADERS = {
|
|
'Service-Worker-Allowed': '/', // Allow a service worker to intercept requests
|
|
'Content-Security-Policy': {
|
|
'default-src': "'self'", // FF has a bug with SVGs: https://bugzilla.mozilla.org/show_bug.cgi?id=1262842
|
|
'script-src': "'self'", // TODO: Use "strict-dynamic for production"
|
|
'media-src': "'self'",
|
|
'object-src': "'self'",
|
|
'img-src': "'self' blob:",
|
|
'connect-src': '*',
|
|
'style-src': "'self' 'unsafe-inline'",
|
|
'worker-src': "'self'",
|
|
'frame-ancestors': "'none'" // No other sight may include this in a frame
|
|
},
|
|
'X-Content-Type-Options': 'nosniff', // http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
|
|
'X-Frame-Options': 'DENY', // No other sight may include this in a frame
|
|
'X-XSS-Protection': '1; mode=block',
|
|
'Referrer-Policy': 'same-origin' // Don't send a referrer except back to this server
|
|
// 'Strict-Transport-Security': 'max-age=63,13904; includeSubDomains; preload',
|
|
};
|
|
|
|
function formatHeaders(headers = STANDARD_HEADERS) {
|
|
const _headers = Object.assign({}, headers);
|
|
_headers['Content-Security-Policy'] = Object.entries(_headers['Content-Security-Policy'])
|
|
.map(e => e.join(' '))
|
|
.join('; ');
|
|
return _headers;
|
|
}
|
|
|
|
function expressSetHeaders(res, path, stat) {
|
|
res.set(formatHeaders());
|
|
}
|
|
|
|
module.exports = {
|
|
formatHeaders,
|
|
expressSetHeaders
|
|
};
|