security updates

src/hooks.server.js

@@ -0,0 +1,39 @@
+/** @type {import('@sveltejs/kit').Handle} */
+export async function handle({ event, resolve }) {
+  const response = await resolve(event);
+
+  // ── Security headers ────────────────────────────────────────────────────────
+  // Prevent clickjacking
+  response.headers.set('X-Frame-Options', 'SAMEORIGIN');
+
+  // Prevent MIME-type sniffing
+  response.headers.set('X-Content-Type-Options', 'nosniff');
+
+  // Control referrer information
+  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+
+  // Restrict browser features
+  response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+
+  // Content Security Policy
+  // - default-src 'self': only load resources from our own origin
+  // - script-src 'self' 'unsafe-inline': SvelteKit needs inline scripts for hydration
+  // - style-src 'self' 'unsafe-inline' fonts.googleapis.com: inline styles + Google Fonts CSS
+  // - font-src 'self' fonts.gstatic.com: Google Fonts files
+  // - img-src 'self' data:: allow data URIs for any inline images
+  // - connect-src 'self': API calls only to our own origin
+  // - frame-ancestors 'none': belt-and-suspenders against clickjacking
+  response.headers.set('Content-Security-Policy', [
+    "default-src 'self'",
+    "script-src 'self' 'unsafe-inline'",
+    "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+    "font-src 'self' https://fonts.gstatic.com",
+    "img-src 'self' data:",
+    "connect-src 'self'",
+    "frame-ancestors 'none'",
+    "base-uri 'self'",
+    "form-action 'self'",
+  ].join('; '));
+
+  return response;
+}