Skip to content

Instantly share code, notes, and snippets.

@olbat
Forked from publicarray/worker.js
Created October 21, 2018 12:39
Show Gist options
  • Save olbat/f3ac8ad892a7156f60add4215cce823c to your computer and use it in GitHub Desktop.
Save olbat/f3ac8ad892a7156f60add4215cce823c to your computer and use it in GitHub Desktop.
// https://developers.cloudflare.com/workers/about/
// https://tutorial.cloudflareworkers.com
//
// A Service Worker which adds Security Headers.
// Checks:
// https://securityheaders.io/
// https://observatory.mozilla.org/
// https://csp-evaluator.withgoogle.com/
// https://hstspreload.org/
// https://www.ssllabs.com/ssltest/
//
addEventListener("fetch", event => {
event.respondWith(fetchAndReplace(event.request))
})
async function fetchAndReplace(request) {
// Fetch the response.
const response = await fetch(request)
// Make sure we only modify text, not images.
let type = response.headers.get("Content-Type") || ""
if (!type.startsWith("text/")) {
// Not text. Don't modify.
return response
}
// Add the Security Headers to the response
let newHeaders = new Headers(response.headers)
// ❤️ emoji
newHeaders.append('X-emoji', '😎')
// Please set the HSTS header from the Cloudflare dashboard
// -> https://support.cloudflare.com/hc/en-us/articles/204183088-Does-Cloudflare-offer-HSTS-HTTP-Strict-Transport-Security-
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#HTTP_Strict_Transport_Security
// https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
// Preload list -> https://hstspreload.org/
//newHeaders.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload")
//newHeaders.set("Strict-Transport-Security", "max-age=31536000")
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Content-Type-Options
// https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
// This header can be set through the Cloudflare dashboard where the HSTS header can be configured.
//newHeaders.set('X-Content-Type-Options', 'nosniff')
// Expect-CT header -> https://scotthelme.co.uk/a-new-security-header-expect-ct/
// Cloudflare already sets it if you you use their certs: expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
// newHeaders.set('expect-ct', 'max-age=604800, report-uri="https://yourdomain.report-uri.com/r/d/ct/enforce"')
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-Frame-Options
// https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
newHeaders.set("X-Frame-Options", "deny")
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#X-XSS-Protection
// https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection
newHeaders.set('X-XSS-Protection', '1; mode=block')
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#Referrer_Policy
// https://scotthelme.co.uk/a-new-security-header-referrer-policy/
// "no-referrer", "same-origin", "strict-origin" or "strict-origin-when-cross-origin"
newHeaders.set('Referrer-Policy', 'strict-origin')
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
// https://developers.google.com/web/fundamentals/security/csp/
// https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
// https://scotthelme.co.uk/content-security-policy-an-introduction/
// CSP Builder -> https://report-uri.com/home/generate
// Check CSP -> https://csp-evaluator.withgoogle.com/
//newHeaders.set("Content-Security-Policy", "default-src 'self'") // You need to modify and enable this so suit your website
// https://developers.google.com/web/updates/2018/06/feature-policy
// https://scotthelme.co.uk/a-new-security-header-feature-policy/
// https://github.com/WICG/feature-policy
// https://docs.google.com/document/d/1k0Ua-ZWlM_PsFCFdLMa8kaVTo32PeNZ4G7FFHqpFx4E/edit
// Demo: https://feature-policy-demos.appspot.com/
// List of browser APIs to limit or disable.
newHeaders.set("Feature-Policy", "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; usb 'none'; vibrate 'none'; document-write 'none'; sync-xhr 'none'")
// Remove the 'Server' header
// Cloudflare sets their own header so don't use this, It will do nothing.
// https://scotthelme.co.uk/hardening-your-http-response-headers/#removingheaders
//newHeaders.delete("Server")
// Further recommendations to consider:
// Check the status of the TLS connection -> https://www.ssllabs.com/ssltest/
// Set a CAA DNS record -> https://scotthelme.co.uk/certificate-authority-authorization/
// Return modified response
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: newHeaders
})
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment