web/headers: fix CSP directives & refactor
This commit is contained in:
parent
97977efabd
commit
732199332e
1 changed files with 23 additions and 6 deletions
|
@ -1,15 +1,32 @@
|
||||||
|
import env from "$lib/env";
|
||||||
|
|
||||||
export async function GET() {
|
export async function GET() {
|
||||||
const CSP = [
|
const CSP = {
|
||||||
"default-src 'none'",
|
"connect-src": ["*"],
|
||||||
"script-src 'self' challenges.cloudflare.com",
|
"default-src": ["'none'"],
|
||||||
"frame-src challenges.cloudflare.com",
|
|
||||||
]
|
"font-src": ["'self'"],
|
||||||
|
"style-src": ["'self'"],
|
||||||
|
"img-src": ["'self'"],
|
||||||
|
"manifest-src": ["'self'"],
|
||||||
|
"worker-src": ["'self'"],
|
||||||
|
|
||||||
|
"script-src": [
|
||||||
|
"'self'",
|
||||||
|
"challenges.cloudflare.com",
|
||||||
|
env.PLAUSIBLE_HOST ? env.PLAUSIBLE_HOST : ""
|
||||||
|
],
|
||||||
|
"frame-src": ["challenges.cloudflare.com"],
|
||||||
|
}
|
||||||
|
|
||||||
const _headers = {
|
const _headers = {
|
||||||
"/*": {
|
"/*": {
|
||||||
"Cross-Origin-Opener-Policy": "same-origin",
|
"Cross-Origin-Opener-Policy": "same-origin",
|
||||||
"Cross-Origin-Embedder-Policy": "require-corp",
|
"Cross-Origin-Embedder-Policy": "require-corp",
|
||||||
"Content-Security-Policy": CSP.join("; "),
|
"Content-Security-Policy":
|
||||||
|
Object.entries(CSP).map(
|
||||||
|
([directive, values]) => `${directive} ${values.join(' ')}`
|
||||||
|
).flat().join("; "),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue