Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Update security headers
  • Loading branch information
regalijan committed Oct 19, 2023
1 parent 6015dc3 commit 4c662cb
Showing 1 changed file with 13 additions and 7 deletions.
20 changes: 13 additions & 7 deletions functions/_middleware.ts
Expand Up @@ -16,7 +16,7 @@ async function constructHTML(context: RequestContext) {
async function generateTokenHash(token: string) {
const hash = await crypto.subtle.digest(
"SHA-512",
new TextEncoder().encode(token)
new TextEncoder().encode(token),
);
return btoa(String.fromCharCode(...new Uint8Array(hash)))
.replace(/\+/g, "-")
Expand All @@ -37,14 +37,14 @@ async function setAuth(context: RequestContext) {
if (name !== "_s") continue;

const userData = await context.env.DATA.get(
`auth_${await generateTokenHash(value)}`
`auth_${await generateTokenHash(value)}`,
);

if (userData) context.data.current_user = JSON.parse(userData);
else
context.request.headers.append(
"set-cookie",
"_s=; HttpOnly; Max-Age=0; Path=/; Secure;"
"_s=; HttpOnly; Max-Age=0; Path=/; Secure;",
);

break;
Expand Down Expand Up @@ -102,14 +102,20 @@ async function setHeaders(context: RequestContext) {
"Wintervale",
];

response.headers.set("Permissions-Policy", "clipboard-write=(self), interest-cohort=()");
response.headers.set(
"Content-Security-Policy",
"connect-src: https://o1071757.ingest.sentry.io https://storage.googleapis.com self; default-src: self; frame-src: https://challenges.cloudflare.com; img-src: https://cdn.discordapp.com https://mediaproxy.carcrushers.cc self; media-src: https://mediaproxy.carcrushers.cc; report-uri: https://o1071757.ingest.sentry.io/api/6069431/security/?sentry_key=3d2b34700e6942f9b739cd8b2001f70f; script=src: https://challenges.cloudflare.com self",
);
response.headers.set(
"Permissions-Policy",
"clipboard-write=(self)",
);
response.headers.set("Referrer-Policy", "same-origin");
response.headers.set(
"RTV",
rtvValues[Math.round(Math.random() * (rtvValues.length - 1))]
rtvValues[Math.round(Math.random() * (rtvValues.length - 1))],
);
response.headers.set("X-Frame-Options", "SAMEORIGIN");
response.headers.set("X-XSS-Protection", "1; mode=block");

return response;
}
Expand All @@ -125,7 +131,7 @@ async function setTheme(context: RequestContext) {
const cookieList = cookies.split("; ");

const themeCookie = cookieList.find((c) =>
c.startsWith("chakra-ui-color-mode")
c.startsWith("chakra-ui-color-mode"),
);
const theme = themeCookie?.split("=").at(1);

Expand Down

0 comments on commit 4c662cb

Please sign in to comment.