-
-
Save olbat/f3ac8ad892a7156f60add4215cce823c to your computer and use it in GitHub Desktop.
https://cloudflareworkers.com for Security Headers - https://developers.cloudflare.com/workers/about/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// https://developers.cloudflare.com/workers/about/ | |
// https://tutorial.cloudflareworkers.com | |
// | |
// A Service Worker which adds Security Headers. | |
// Checks: | |
// https://securityheaders.io/ | |
// https://observatory.mozilla.org/ | |
// https://csp-evaluator.withgoogle.com/ | |
// https://hstspreload.org/ | |
// https://www.ssllabs.com/ssltest/ | |
// | |
addEventListener("fetch", event => { | |
event.respondWith(fetchAndReplace(event.request)) | |
}) | |
async function fetchAndReplace(request) { | |
// Fetch the response. | |
const response = await fetch(request) | |
// Make sure we only modify text, not images. | |
let type = response.headers.get("Content-Type") || "" | |
if (!type.startsWith("text/")) { | |
// Not text. Don't modify. | |
return response | |
} | |
// Add the Security Headers to the response | |
let newHeaders = new Headers(response.headers) | |
// ❤️ emoji | |
newHeaders.append('X-emoji', '😎') | |
// Please set the HSTS header from the Cloudflare dashboard | |
// -> https://support.cloudflare.com/hc/en-us/articles/204183088-Does-Cloudflare-offer-HSTS-HTTP-Strict-Transport-Security- | |
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Strict_Transport_Security | |
// https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ | |
// Preload list -> https://hstspreload.org/ | |
//newHeaders.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload") | |
//newHeaders.set("Strict-Transport-Security", "max-age=31536000") | |
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Content-Type-Options | |
// https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options | |
// This header can be set through the Cloudflare dashboard where the HSTS header can be configured. | |
//newHeaders.set('X-Content-Type-Options', 'nosniff') | |
// Expect-CT header -> https://scotthelme.co.uk/a-new-security-header-expect-ct/ | |
// Cloudflare already sets it if you you use their certs: expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" | |
// newHeaders.set('expect-ct', 'max-age=604800, report-uri="https://yourdomain.report-uri.com/r/d/ct/enforce"') | |
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Frame-Options | |
// https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options | |
newHeaders.set("X-Frame-Options", "deny") | |
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection | |
// https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection | |
newHeaders.set('X-XSS-Protection', '1; mode=block') | |
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#Referrer_Policy | |
// https://scotthelme.co.uk/a-new-security-header-referrer-policy/ | |
// "no-referrer", "same-origin", "strict-origin" or "strict-origin-when-cross-origin" | |
newHeaders.set('Referrer-Policy', 'strict-origin') | |
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP | |
// https://developers.google.com/web/fundamentals/security/csp/ | |
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy | |
// https://scotthelme.co.uk/content-security-policy-an-introduction/ | |
// CSP Builder -> https://report-uri.com/home/generate | |
// Check CSP -> https://csp-evaluator.withgoogle.com/ | |
//newHeaders.set("Content-Security-Policy", "default-src 'self'") // You need to modify and enable this so suit your website | |
// https://developers.google.com/web/updates/2018/06/feature-policy | |
// https://scotthelme.co.uk/a-new-security-header-feature-policy/ | |
// https://github.com/WICG/feature-policy | |
// https://docs.google.com/document/d/1k0Ua-ZWlM_PsFCFdLMa8kaVTo32PeNZ4G7FFHqpFx4E/edit | |
// Demo: https://feature-policy-demos.appspot.com/ | |
// List of browser APIs to limit or disable. | |
newHeaders.set("Feature-Policy", "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; usb 'none'; vibrate 'none'; document-write 'none'; sync-xhr 'none'") | |
// Remove the 'Server' header | |
// Cloudflare sets their own header so don't use this, It will do nothing. | |
// https://scotthelme.co.uk/hardening-your-http-response-headers/#removingheaders | |
//newHeaders.delete("Server") | |
// Further recommendations to consider: | |
// Check the status of the TLS connection -> https://www.ssllabs.com/ssltest/ | |
// Set a CAA DNS record -> https://scotthelme.co.uk/certificate-authority-authorization/ | |
// Return modified response | |
return new Response(response.body, { | |
status: response.status, | |
statusText: response.statusText, | |
headers: newHeaders | |
}) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment