embed HTTP header configuration no more code generation!
1 file changed, 25 insertions(+), 4 deletions(-)
changed files
M internal/website/website.go → internal/website/website.go
@@ -22,6 +22,7 @@ "go.alanpearce.eu/homestead/templates" "go.alanpearce.eu/x/log" "github.com/benpate/digit" + "github.com/crewjam/csp" "github.com/osdevisnot/sorvor/pkg/livereload" )@@ -45,9 +46,28 @@ log *log.Logger reader storage.Reader me digit.Resource acctResource string + CSP *csp.Header *server.App } +var CSPHeader = csp.Header{ + DefaultSrc: []string{"'none'"}, + FormAction: []string{"'none'"}, + BaseURI: []string{"'none'"}, + ImgSrc: []string{"'self'"}, + ScriptSrc: []string{"'self'"}, + StyleSrc: []string{"'self'"}, + FrameAncestors: []string{"https://kagi.com"}, + RequireTrustedTypesFor: []csp.RequireTrustedTypesFor{csp.RTTFScript}, +} + +var ExtraHeaders = map[string]string{ + "Cache-Control": "max-age=14400", + "X-Content-Type-Options": "nosniff", + "Referrer-Policy": "strict-origin-when-cross-origin", + "Cross-Origin-Resource-Policy": "same-site", +} + func New( opts *Options, log *log.Logger,@@ -88,6 +108,11 @@ if err != nil { return nil, errors.WithMessage(err, "could not set up fetcher") } + if opts.Development { + CSPHeader.ScriptSrc = slices.Insert(CSPHeader.ScriptSrc, 0, "'unsafe-inline'") + CSPHeader.ConnectSrc = slices.Insert(CSPHeader.ConnectSrc, 0, "'self'") + } + firstUpdate := make(chan bool) go func() { updated := sync.OnceFunc(func() {@@ -108,10 +133,6 @@ Menu: cfg.Menu, InjectLiveReload: opts.Development, } - if opts.Development { - cfg.CSP.ScriptSrc = slices.Insert(cfg.CSP.ScriptSrc, 0, "'unsafe-inline'") - cfg.CSP.ConnectSrc = slices.Insert(cfg.CSP.ConnectSrc, 0, "'self'") - } if opts.GoatcounterToken == "" { if !opts.Development { log.Warn("in production without a goatcounter token")