@naisys/common 3.0.0-beta.7 → 3.0.0-beta.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/securityHeaders.js +7 -2
- package/package.json +1 -1
package/dist/securityHeaders.js
CHANGED
|
@@ -4,10 +4,15 @@
|
|
|
4
4
|
* Interfaces are duck-typed so @naisys/common doesn't need a Fastify dependency.
|
|
5
5
|
*/
|
|
6
6
|
export function registerSecurityHeaders(fastify, options) {
|
|
7
|
-
|
|
7
|
+
const strictCsp = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' ws: wss:; font-src 'self' data:; frame-ancestors 'none'";
|
|
8
|
+
// Scalar API reference needs inline scripts, eval (bundled Zod JIT),
|
|
9
|
+
// CDN assets, and outbound fetches to its proxy/registry services.
|
|
10
|
+
const apiReferenceCsp = "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data: blob:; connect-src 'self' ws: wss: https://proxy.scalar.com https://api.scalar.com; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.scalar.com; frame-ancestors 'none'";
|
|
11
|
+
fastify.addHook("onSend", (request, reply, _payload, done) => {
|
|
8
12
|
reply.header("X-Content-Type-Options", "nosniff");
|
|
9
13
|
reply.header("X-Frame-Options", "DENY");
|
|
10
|
-
|
|
14
|
+
const isApiReference = request.url.includes("/api-reference");
|
|
15
|
+
reply.header("Content-Security-Policy", isApiReference ? apiReferenceCsp : strictCsp);
|
|
11
16
|
if (options.enforceHsts) {
|
|
12
17
|
reply.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
|
|
13
18
|
}
|