Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: harden headers security #592

Merged
merged 10 commits into from
Sep 22, 2023
Merged

feat: harden headers security #592

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
7cd313a
add: `hardenHeaders` middleware
Jabolol Sep 16, 2023
6f15b08
feat: improve `header` security
Jabolol Sep 16, 2023
7dfdf4a
fix: apply suggested changes
Jabolol Sep 17, 2023
1f981be
Merge branch 'main' into harden-headers
Jabolol Sep 20, 2023
9b75a7d
add: `security-headers` plugin
Jabolol Sep 20, 2023
ab5a168
add: `security-headers` testing
Jabolol Sep 20, 2023
cb57a26
fix: reference issue in `@todo` comment
Jabolol Sep 20, 2023
04270c1
fix: move testing to `security_headers_test.ts`
Jabolol Sep 20, 2023
a03157c
fix: missing `license`
Jabolol Sep 20, 2023
4c497b6
Merge branch 'main' into harden-headers
iuioiua Sep 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions fresh.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import twindConfig from "./twind.config.ts";
import kvOAuthPlugin from "./plugins/kv_oauth.ts";
import sessionPlugin from "./plugins/session.ts";
import errorHandling from "./plugins/error_handling.ts";
import securityHeaders from "./plugins/security_headers.ts";
import { FreshOptions } from "$fresh/server.ts";

export default {
Expand All @@ -12,5 +13,6 @@ export default {
sessionPlugin,
twindPlugin(twindConfig),
errorHandling,
securityHeaders,
],
} as FreshOptions;
36 changes: 36 additions & 0 deletions plugins/security_headers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
// Copyright 2023 the Deno authors. All rights reserved. MIT license.
import { type Plugin } from "$fresh/server.ts";

export default {
name: "security-headers",
middlewares: [
{
path: "/",
middleware: {
handler: async (req, ctx) => {
if (
ctx.destination !== "route" ||
new URL(req.url).pathname.startsWith("/api")
) return await ctx.next();

const response = await ctx.next();

/** @todo(Jabolol) Implement `Content-Security-Policy` once https://github.com/denoland/fresh/pull/1787 lands */
response.headers.set(
"Strict-Transport-Security",
"max-age=63072000;",
);
response.headers.set(
"Referrer-Policy",
"strict-origin-when-cross-origin",
);
response.headers.set("X-Content-Type-Options", "nosniff");
response.headers.set("X-Frame-Options", "SAMEORIGIN");
response.headers.set("X-XSS-Protection", "1; mode=block");

return response;
},
},
},
],
} as Plugin;
23 changes: 23 additions & 0 deletions plugins/security_headers_test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
// Copyright 2023 the Deno authors. All rights reserved. MIT license.
import { createHandler } from "$fresh/server.ts";
import { assertEquals } from "std/assert/assert_equals.ts";
import manifest from "@/fresh.gen.ts";
import options from "@/fresh.config.ts";

const handler = await createHandler(manifest, options);

Deno.test("[middleware] security headers are present", async () => {
const resp = await handler(new Request("http://localhost"));

assertEquals(
resp.headers.get("strict-transport-security"),
"max-age=63072000;",
);
assertEquals(
resp.headers.get("referrer-policy"),
"strict-origin-when-cross-origin",
);
assertEquals(resp.headers.get("x-content-type-options"), "nosniff");
assertEquals(resp.headers.get("x-frame-options"), "SAMEORIGIN");
assertEquals(resp.headers.get("x-xss-protection"), "1; mode=block");
});
Loading