- Link project with https://coveralls.io/,
- Write Tests
A serverless function ran on cloudflare workers that intercepts incoming requests and sets the following headers:
- "Content-Security-Policy":
default-src 'none'; form-action 'self'; font-src 'self'; img-src 'self'; script-src 'unsafe-inline' https: 'strict-dynamic' 'nonce-${nonce}'; style-src 'self'; base-uri 'none'; frame-ancestors 'none'; connect-src 'self'
- "Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload"
- "Permissions-Policy": "interest-cohort=()"
- "X-XSS-Protection": "0"
- "X-Frame-Options": "DENY"
- "X-Content-Type-Options": "nosniff"
- "Referrer-Policy": "strict-origin-when-cross-origin"
- "Cross-Origin-Embedder-Policy": 'require-corp; report-to="default";'
- "Cross-Origin-Opener-Policy": 'same-site; report-to="default";'
- "Cross-Origin-Resource-Policy": "same-site"
It also removes the following headers:
- "Public-Key-Pins"
- "X-Powered-By"
- "X-AspNet-Version"
The rational behind creating this was so I could increase the security & privacy of users on my static sites hosted on cloudflare pages