feat(root): add additional security header

spicyzboss · Mar 31, 2024 · 031d40b · 031d40b
1 parent f9c1785
commit 031d40b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/apps/root/src/routes/plugin@csp.ts b/apps/root/src/routes/plugin@csp.ts
@@ -1,11 +1,11 @@
 import type { RequestHandler } from '@builder.io/qwik-city';
 import { isDev } from '@builder.io/qwik/build';
 
-export const onRequest: RequestHandler = (event) => {
+export const onRequest: RequestHandler = ({ request, sharedMap, headers }) => {
   if (isDev) return;
 
-  const nonce = event.request.headers.get('cf-ray') || Date.now().toString(36);
-  event.sharedMap.set('@nonce', nonce);
+  const nonce = request.headers.get('cf-ray') || Date.now().toString(36);
+  sharedMap.set('@nonce', nonce);
 
   const csp = [
     `default-src 'self' 'unsafe-inline'`,
@@ -18,5 +18,5 @@ export const onRequest: RequestHandler = (event) => {
     "base-uri 'self'",
   ];
 
-  event.headers.set('Content-Security-Policy', csp.join('; '));
+  headers.set('Content-Security-Policy', csp.join('; '));
 };
diff --git a/apps/root/src/routes/plugin@security.ts b/apps/root/src/routes/plugin@security.ts
@@ -0,0 +1,10 @@
+import { RequestHandler } from "@builder.io/qwik-city";
+
+export const onRequest: RequestHandler = ({ headers }) => {
+  const securityHeaders = {
+    'X-Frame-Options': 'sameorigin',
+    'X-XSS-Protection': '1; mode=block',
+  };
+
+  Object.entries(securityHeaders).map(([key, value]) => headers.set(key, value));
+};