davide/ecommerce-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): add HTTP security headers (CSP, HSTS, X-Frame-Options)

Browse Source 
- middleware.ts: set X-Frame-Options, X-Content-Type-Options,
  Referrer-Policy, Permissions-Policy, Content-Security-Policy on all responses
- Caddyfile: add Strict-Transport-Security (HSTS 1y), X-Frame-Options,
  X-Content-Type-Options at reverse proxy level
This commit is contained in:
Davide Grilli
2026-05-19 10:10:05 +02:00
parent 2a6c3a1222
commit 0395a78008
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Caddyfile
+5
View File
@@ -1,4 +1,9 @@
localhost { localhost {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
}
handle /uploads/* { handle /uploads/* {
root * /srv root * /srv
file_server file_server
app/src/middleware.ts
+8
View File
@@ -4,6 +4,14 @@ import type { NextRequest } from 'next/server'
export function middleware(request: NextRequest) { export function middleware(request: NextRequest) {
const response = NextResponse.next() const response = NextResponse.next()
response.headers.set('x-pathname', request.nextUrl.pathname) response.headers.set('x-pathname', request.nextUrl.pathname)
response.headers.set('X-Frame-Options', 'DENY')
response.headers.set('X-Content-Type-Options', 'nosniff')
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()')
response.headers.set(
'Content-Security-Policy',
"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://api.stripe.com; frame-src https://js.stripe.com; frame-ancestors 'none'"
)
return response return response
} }