web/headers: fix CSP directives & refactor
This commit is contained in:
parent
97977efabd
commit
732199332e
1 changed files with 23 additions and 6 deletions
|
@ -1,15 +1,32 @@
|
|||
import env from "$lib/env";
|
||||
|
||||
export async function GET() {
|
||||
const CSP = [
|
||||
"default-src 'none'",
|
||||
"script-src 'self' challenges.cloudflare.com",
|
||||
"frame-src challenges.cloudflare.com",
|
||||
]
|
||||
const CSP = {
|
||||
"connect-src": ["*"],
|
||||
"default-src": ["'none'"],
|
||||
|
||||
"font-src": ["'self'"],
|
||||
"style-src": ["'self'"],
|
||||
"img-src": ["'self'"],
|
||||
"manifest-src": ["'self'"],
|
||||
"worker-src": ["'self'"],
|
||||
|
||||
"script-src": [
|
||||
"'self'",
|
||||
"challenges.cloudflare.com",
|
||||
env.PLAUSIBLE_HOST ? env.PLAUSIBLE_HOST : ""
|
||||
],
|
||||
"frame-src": ["challenges.cloudflare.com"],
|
||||
}
|
||||
|
||||
const _headers = {
|
||||
"/*": {
|
||||
"Cross-Origin-Opener-Policy": "same-origin",
|
||||
"Cross-Origin-Embedder-Policy": "require-corp",
|
||||
"Content-Security-Policy": CSP.join("; "),
|
||||
"Content-Security-Policy":
|
||||
Object.entries(CSP).map(
|
||||
([directive, values]) => `${directive} ${values.join(' ')}`
|
||||
).flat().join("; "),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue