From f20a71e8a8025ca7df48f6bd9fd25c859d78999f Mon Sep 17 00:00:00 2001
From: shuaiplus <2327005759@qq.com>
Date: Sun, 1 Mar 2026 22:34:13 +0800
Subject: [PATCH] feat: enhance security headers and update content security
 policy in response and HTML files

---
 src/utils/response.ts              |  5 +++++
 webapp/index.html                  |  2 +-
 webapp/src/App.tsx                 |  6 +++---
 webapp/src/components/HelpPage.tsx |  8 ++++----
 webapp/src/lib/i18n.ts             | 12 ++++++------
 5 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/src/utils/response.ts b/src/utils/response.ts
index a9bb24c..d2bac28 100644
--- a/src/utils/response.ts
+++ b/src/utils/response.ts
@@ -49,6 +49,11 @@ export function applyCors(
   for (const [k, v] of Object.entries(corsHeaders)) {
     headers.set(k, v);
   }
+  // Security headers applied to every response.
+  headers.set('X-Frame-Options', 'DENY');
+  headers.set('X-Content-Type-Options', 'nosniff');
+  headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+  headers.set('Content-Security-Policy', "frame-ancestors 'none'");
   return new Response(response.body, {
     status: response.status,
     statusText: response.statusText,
diff --git a/webapp/index.html b/webapp/index.html
index dfe3254..d1a820a 100644
--- a/webapp/index.html
+++ b/webapp/index.html
@@ -3,7 +3,7 @@
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://icons.bitwarden.net; connect-src 'self'; font-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self';" />
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://icons.bitwarden.net; connect-src 'self' https://cloudflareinsights.com; font-src 'self'; form-action 'self'; base-uri 'self';" />
     <link rel="icon" type="image/png" href="/favicon.ico" />
     <link rel="apple-touch-icon" href="/apple-touch-icon.png" />
     <title>NodeWarden</title>
diff --git a/webapp/src/App.tsx b/webapp/src/App.tsx
index 5dea394..60bb3dd 100644
--- a/webapp/src/App.tsx
+++ b/webapp/src/App.tsx
@@ -1,7 +1,7 @@
 import { useEffect, useMemo, useState } from 'preact/hooks';
 import { Link, Route, Switch, useLocation } from 'wouter';
 import { useQuery } from '@tanstack/react-query';
-import { CircleHelp, Lock, LogOut, Send as SendIcon, Settings as SettingsIcon, Shield, ShieldUser, Vault } from 'lucide-preact';
+import { HardDriveDownload, Lock, LogOut, Send as SendIcon, Settings as SettingsIcon, Shield, ShieldUser, Vault } from 'lucide-preact';
 import AuthViews from '@/components/AuthViews';
 import ConfirmDialog from '@/components/ConfirmDialog';
 import ToastHost from '@/components/ToastHost';
@@ -978,8 +978,8 @@ export default function App() {
                 <span>{t('nav_device_management')}</span>
               </Link>
               <Link href="/help" className={`side-link ${location === '/help' ? 'active' : ''}`}>
-                <CircleHelp size={16} />
-                <span>{t('nav_support_center')}</span>
+                <HardDriveDownload size={16} />
+                <span>{t('nav_backup_strategy')}</span>
               </Link>
             </aside>
             <main className="content">
diff --git a/webapp/src/components/HelpPage.tsx b/webapp/src/components/HelpPage.tsx
index 4012399..562a00c 100644
--- a/webapp/src/components/HelpPage.tsx
+++ b/webapp/src/components/HelpPage.tsx
@@ -1,15 +1,15 @@
-import { Construction } from 'lucide-preact';
+import { HardDriveDownload } from 'lucide-preact';
 import { t } from '@/lib/i18n';
 
 export default function HelpPage() {
   return (
     <div className="stack">
       <section className="card">
-        <h3>{t('support_title')}</h3>
+        <h3>{t('backup_strategy_title')}</h3>
         <div className="empty" style={{ minHeight: 180 }}>
           <div style={{ textAlign: 'center' }}>
-            <Construction size={34} style={{ color: '#64748b', marginBottom: 8 }} />
-            <div>{t('support_under_construction')}</div>
+            <HardDriveDownload size={34} style={{ color: '#64748b', marginBottom: 8 }} />
+            <div>{t('backup_strategy_under_construction')}</div>
           </div>
         </div>
       </section>
diff --git a/webapp/src/lib/i18n.ts b/webapp/src/lib/i18n.ts
index fc08d1e..a873b28 100644
--- a/webapp/src/lib/i18n.ts
+++ b/webapp/src/lib/i18n.ts
@@ -9,9 +9,9 @@ const messages: Record<Locale, Record<string, string>> = {
     nav_device_management: "Device Management",
     nav_my_vault: "My Vault",
     nav_sends: "Sends",
-    nav_support_center: "Support Center",
-    support_title: "Support Center",
-    support_under_construction: "Under construction.",
+    nav_backup_strategy: "Backup Strategy",
+    backup_strategy_title: "Backup Strategy",
+    backup_strategy_under_construction: "Under construction.",
     txt_access_count: "Access Count",
     txt_accessed_count_times: "Accessed {count} times",
     txt_actions: "Actions",
@@ -367,9 +367,9 @@ const zhCNOverrides: Record<string, string> = {
   nav_admin_panel: '管理面板',
   nav_account_settings: '账户设置',
   nav_device_management: '设备管理',
-  nav_support_center: '支持中心',
-  support_title: '支持中心',
-  support_under_construction: '正在搭建中',
+  nav_backup_strategy: '备份策略',
+  backup_strategy_title: '备份策略',
+  backup_strategy_under_construction: '正在搭建中',
   txt_sign_out: '退出登录',
   txt_log_in: '登录',
   txt_log_out: '退出',