feat: enhance security headers and update content security policy in response and HTML files

2026-06-20 13:00:39 +00:00 · 2026-03-01 22:34:13 +08:00
parent c0683016c3
commit ace9f4f5ac
5 changed files with 19 additions and 14 deletions
@@ -49,6 +49,11 @@ export function applyCors(
  for (const [k, v] of Object.entries(corsHeaders)) {
    headers.set(k, v);
  }
+  // Security headers applied to every response.
+  headers.set('X-Frame-Options', 'DENY');
+  headers.set('X-Content-Type-Options', 'nosniff');
+  headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+  headers.set('Content-Security-Policy', "frame-ancestors 'none'");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,