add security headers

aptabase · Mar 21, 2024 · e43019d · e43019d
1 parent a5bc959
commit e43019d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/src/Program.cs b/src/Program.cs
@@ -186,11 +186,16 @@ public static void Main(string[] args)
 
         if (appEnv.IsProduction)
         {
+            app.UseHsts();
             app.MapFallbackToFile("index.html", new StaticFileOptions
             {
                 OnPrepareResponse = ctx =>
                 {
-                    ctx.Context.Response.Headers.Append("Cache-Control", "no-store,no-cache");
+                    ctx.Context.Response.Headers.Add("Content-Security-Policy", "default-src 'self' 'unsafe-inline'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://client.crisp.chat; script-src 'self' 'unsafe-inline' https://client.crisp.chat; font-src 'self' https://client.crisp.chat; connect-src wss://client.relay.crisp.chat https://client.crisp.chat;");
+                    ctx.Context.Response.Headers.Add("X-Frame-Options", "DENY");
+                    ctx.Context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
+                    ctx.Context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
+                    ctx.Context.Response.Headers.Add("Cache-Control", "no-store,no-cache");
                 }
             });
 

diff --git a/src/vite.config.ts b/src/vite.config.ts
@@ -23,6 +23,9 @@ export default defineConfig({
   },
   server: {
     port: 3000,
+    headers: {
+      "Content-Security-Policy": `default-src 'self' 'unsafe-inline'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://client.crisp.chat; script-src 'self' 'unsafe-inline' https://client.crisp.chat; font-src 'self' https://client.crisp.chat; connect-src wss://client.relay.crisp.chat https://client.crisp.chat ws://localhost:3000 http://localhost:3000`,
+    },
     proxy: {
       "/uploads": {
         target: "http://localhost:5251",