TODO

HTTP Security Headers

A serverless function ran on cloudflare workers that intercepts incoming requests and sets the following headers:

"Content-Security-Policy": default-src 'none'; form-action 'self'; font-src 'self'; img-src 'self'; script-src 'unsafe-inline' https: 'strict-dynamic' 'nonce-${nonce}'; style-src 'self'; base-uri 'none'; frame-ancestors 'none'; connect-src 'self'
"Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload"
"Permissions-Policy": "interest-cohort=()"
"X-XSS-Protection": "0"
"X-Frame-Options": "DENY"
"X-Content-Type-Options": "nosniff"
"Referrer-Policy": "strict-origin-when-cross-origin"
"Cross-Origin-Embedder-Policy": 'require-corp; report-to="default";'
"Cross-Origin-Opener-Policy": 'same-site; report-to="default";'
"Cross-Origin-Resource-Policy": "same-site"

It also removes the following headers:

The rational behind creating this was so I could increase the security & privacy of users on my static sites hosted on cloudflare pages

Name		Name	Last commit message	Last commit date
Latest commit History 11 Commits
.github/workflows		.github/workflows
.husky		.husky
src		src
.eslintignore		.eslintignore
.eslintrc.js		.eslintrc.js
.gitignore		.gitignore
.prettierignore		.prettierignore
.prettierrc		.prettierrc
README.md		README.md
jest.config.js		jest.config.js
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json
webpack.config.js		webpack.config.js
wrangler.toml		wrangler.toml