40 lines
1.7 KiB
JavaScript
40 lines
1.7 KiB
JavaScript
/** @type {import('@sveltejs/kit').Handle} */
|
|
export async function handle({ event, resolve }) {
|
|
const response = await resolve(event);
|
|
|
|
// ── Security headers ────────────────────────────────────────────────────────
|
|
// Prevent clickjacking
|
|
response.headers.set('X-Frame-Options', 'SAMEORIGIN');
|
|
|
|
// Prevent MIME-type sniffing
|
|
response.headers.set('X-Content-Type-Options', 'nosniff');
|
|
|
|
// Control referrer information
|
|
response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
|
|
// Restrict browser features
|
|
response.headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
|
|
|
|
// Content Security Policy
|
|
// - default-src 'self': only load resources from our own origin
|
|
// - script-src 'self' 'unsafe-inline': SvelteKit needs inline scripts for hydration
|
|
// - style-src 'self' 'unsafe-inline' fonts.googleapis.com: inline styles + Google Fonts CSS
|
|
// - font-src 'self' fonts.gstatic.com: Google Fonts files
|
|
// - img-src 'self' data:: allow data URIs for any inline images
|
|
// - connect-src 'self': API calls only to our own origin
|
|
// - frame-ancestors 'none': belt-and-suspenders against clickjacking
|
|
response.headers.set('Content-Security-Policy', [
|
|
"default-src 'self'",
|
|
"script-src 'self' 'unsafe-inline'",
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
|
|
"font-src 'self' https://fonts.gstatic.com",
|
|
"img-src 'self' data:",
|
|
"connect-src 'self'",
|
|
"frame-ancestors 'none'",
|
|
"base-uri 'self'",
|
|
"form-action 'self'",
|
|
].join('; '));
|
|
|
|
return response;
|
|
}
|