regalijan/car-crushers-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update security headers

Browse Source
This commit is contained in:
regalijan 2023-10-19 16:50:20 -04:00
parent 6015dc3100
commit 4c662cbe51
Signed by: regalijan
GPG Key ID: 5D4196DA269EF520
1 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
functions/_middleware.ts
View File

@ -16,7 +16,7 @@ async function constructHTML(context: RequestContext) {
async function generateTokenHash(token: string) { async function generateTokenHash(token: string) {
const hash = await crypto.subtle.digest( const hash = await crypto.subtle.digest(
"SHA-512", "SHA-512",
new TextEncoder().encode(token) new TextEncoder().encode(token),
); );
return btoa(String.fromCharCode(...new Uint8Array(hash))) return btoa(String.fromCharCode(...new Uint8Array(hash)))
.replace(/\+/g, "-") .replace(/\+/g, "-")
@ -37,14 +37,14 @@ async function setAuth(context: RequestContext) {
if (name !== "_s") continue; if (name !== "_s") continue;
const userData = await context.env.DATA.get( const userData = await context.env.DATA.get(
`auth_${await generateTokenHash(value)}` `auth_${await generateTokenHash(value)}`,
); );
if (userData) context.data.current_user = JSON.parse(userData); if (userData) context.data.current_user = JSON.parse(userData);
else else
context.request.headers.append( context.request.headers.append(
"set-cookie", "set-cookie",
"_s=; HttpOnly; Max-Age=0; Path=/; Secure;" "_s=; HttpOnly; Max-Age=0; Path=/; Secure;",
); );
break; break;
@ -102,14 +102,20 @@ async function setHeaders(context: RequestContext) {
"Wintervale", "Wintervale",
]; ];
response.headers.set("Permissions-Policy", "clipboard-write=(self), interest-cohort=()"); response.headers.set(
"Content-Security-Policy",
"connect-src: https://o1071757.ingest.sentry.io https://storage.googleapis.com self; default-src: self; frame-src: https://challenges.cloudflare.com; img-src: https://cdn.discordapp.com https://mediaproxy.carcrushers.cc self; media-src: https://mediaproxy.carcrushers.cc; report-uri: https://o1071757.ingest.sentry.io/api/6069431/security/?sentry_key=3d2b34700e6942f9b739cd8b2001f70f; script=src: https://challenges.cloudflare.com self",
);
response.headers.set(
"Permissions-Policy",
"clipboard-write=(self)",
);
response.headers.set("Referrer-Policy", "same-origin"); response.headers.set("Referrer-Policy", "same-origin");
response.headers.set( response.headers.set(
"RTV", "RTV",
rtvValues[Math.round(Math.random() * (rtvValues.length - 1))] rtvValues[Math.round(Math.random() * (rtvValues.length - 1))],
); );
response.headers.set("X-Frame-Options", "SAMEORIGIN"); response.headers.set("X-Frame-Options", "SAMEORIGIN");
response.headers.set("X-XSS-Protection", "1; mode=block");
return response; return response;
} }
@ -125,7 +131,7 @@ async function setTheme(context: RequestContext) {
const cookieList = cookies.split("; "); const cookieList = cookies.split("; ");
const themeCookie = cookieList.find((c) => const themeCookie = cookieList.find((c) =>
c.startsWith("chakra-ui-color-mode") c.startsWith("chakra-ui-color-mode"),
); );
const theme = themeCookie?.split("=").at(1); const theme = themeCookie?.split("=").at(1);